cbcvebase.
CVE-2019-9193
published 2019-04-01

CVE-2019-9193: In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary…

PriorityP181high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
91.88%
99.8th percentile
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.

Affected

1 ranges
VendorProductVersion rangeFixed in
postgresqlpostgresql9.3 – 11.2

Detection & IOCsextracted from sources · hover to see the quote

port5432
command'; DROP TABLE IF EXISTS cmd_exec; CREATE TABLE cmd_exec(cmd_output text); COPY cmd_exec FROM PROGRAM 'id'; SELECT * FROM cmd_exec;--
sigma
regex: ((u|g)id|groups)=[0-9]{1,4}\([a-z0-9]+\)
  • Alert on brute-force authentication attempts against PostgreSQL (port 5432) using the default 'postgres' username, particularly with common passwords such as '112233' and '1q2w3e4r'.
  • Detect DreamBus ELF binaries with modified UPX headers: the standard UPX magic bytes 0x21585055 ('UPX!') are replaced with non-ASCII values such as 0x3330dddf. Flag ELF binaries where the UPX header magic does not match the standard signature.
  • Monitor for processes impersonating 'tracepath' that are not the legitimate system binary, particularly those spawned from PostgreSQL server processes or located in writable temp directories.
  • Flag HTTP requests with a User-Agent string of a single hyphen ('-') character, which is the hardcoded cURL user-agent used by DreamBus modules for C2 communications.
  • Detect WildFire-style behavioral indicators: self-deletion of the initial payload binary and process name impersonation (e.g., renaming to 'tracepath') shortly after execution from a PostgreSQL context.
  • In PostgreSQL audit logs, alert on any use of 'COPY ... FROM PROGRAM' SQL statements, especially when issued by the 'postgres' superuser account from a remote session.
  • ·CVE-2019-9193 is a disputed CVE. The PostgreSQL community argues that 'COPY TO/FROM PROGRAM' is functioning as intended and is not a vulnerability, provided superuser privileges are not granted to remote or untrusted users. Detection should be tuned to context (remote superuser sessions) to avoid false positives on legitimate administrative use.
  • ·The PGMiner C2 mining pool was no longer active at time of analysis, so profit/scale data is unavailable and the specific mining pool IOCs may not be actionable for current detections.
  • ·At time of publication, none of the VirusTotal vendors detected PGMiner, meaning AV/EDR signature-based detections may be ineffective; behavioral and network-based detections are preferred.
  • ·The DreamBus UPX header modification (replacing 0x21585055 with values like 0x3330dddf) breaks the standard UPX unpacking tool, so automated unpacking pipelines relying on the UPX CLI may fail to analyze these samples.

CVSS provenance

nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck7.2HIGH
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.