Varonis Threat Labs discovered a remote code execution (RCE) vector in PostgreSQL by chaining vulnerabilities in PL/Perl and PL/Rust, demonstrated at DEF CON 2025; AWS detected and blocked their exploit attempts on Amazon RDS. Postgres published patches and Varonis recommends upgrading Postgres, updating PL/Rust, removing debugging tools like rust-gdb, and monitoring logs. #PLPerl #PLRust #rust-gdb
Keypoints
- Varonis found an RCE primitive in PL/Perl that allowed setting environment variables in PostgreSQL session worker processes.
- By abusing PL/Rust’s compilation step (cargo) and environment variables, researchers escalated the primitive to execute arbitrary code.
- The exploit technique relied on environment variables like RUST_GDB and BASH_ENV to cause debug or shell binaries to run commands from the environment.
- Attempts against Amazon RDS were detected and blocked by AWS automated protections; SELinux and managed restrictions prevented access to sensitive data or cross-customer access.
- Postgres released an advisory and patches on Nov 14, 2024; Varonis demonstrated the findings at DEF CON 2025 and recommends upgrades and monitoring.
- Recommendations include upgrading Postgres and PL/Rust, removing debugging tools (e.g., rust-gdb) from production, and restricting allowed extensions via rds.allowed_extensions.
- Under the AWS shared responsibility model, customers must secure configuration, network access, and data while AWS manages the managed-service infrastructure.
MITRE Techniques
- [T1059 ] Command and Scripting Interpreter – Used environment-variable-based invocation of binaries (e.g., BASH_ENV) to execute commands: ‘Setting the environment variable to ‘$(command 2>&1)’ will cause command to run and print its output to stderr.’
- [T1204 ] User Execution – Leveraged trusted language extensions (PL/Perl, PL/Rust) to run code in the database session context: ‘The vulnerability in PL/Perl allowed us to set environment variables on session worker processes.’
- [T1543 ] Create or Modify System Process – Manipulated environment variables (RUST_GDB, BASH_ENV) to influence process execution and launch binaries during PL/Rust compilation: ‘rust-gdb…when reading the RUST_GDB environment variable…uses the variable’s value to determine what binary to execute.’
- [T1078 ] Valid Accounts – Abused permitted Postgres function execution context and inherited environment of the Postgres user session to perform compilation and execution: ‘When creating a plrust function, the extension…runs the compilation process from the Postgres user’s current session, inheriting the same environment.’
Indicators of Compromise
- [File/Tool ] debugging and build binaries referenced in exploit context – rust-gdb, /bin/bash
- [Extension ] targeted extensions and configuration – PL/Perl (plperl), PL/Rust (plrust)
- [Config Parameter ] AWS RDS configuration – rds.allowed_extensions (recommendation to restrict allowed extensions)
Read more: https://www.varonis.com/blog/rusty-pearl