CVEs-PoC/2017/CVE-2017-12172.md

### [CVE-2017-12172](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12172)
![](https://img.shields.io/static/v1?label=Product&message=postgresql&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=10.x%20before%2010.1%2C%209.6.x%20before%209.6.6%2C%209.5.x%20before%209.5.10%2C%209.4.x%20before%209.4.15%2C%209.3.x%20before%209.3.20%2C%209.2.x%20before%209.2.24%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-59&color=brightgreen)

### Description

PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24 runs under a non-root operating system account, and database superusers have effective ability to run arbitrary code under that system account. PostgreSQL provides a script for starting the database server during system boot. Packages of PostgreSQL for many operating systems provide their own, packager-authored startup implementations. Several implementations use a log file name that the database superuser can replace with a symbolic link. As root, they open(), chmod() and/or chown() this log file name. This often suffices for the database superuser to escalate to root privileges when root starts the server.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/lekctut/sdb-hw-13-01
- https://github.com/pedr0alencar/vlab-metasploitable2