| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Arbitrary filesystem access |
|
| Description |
| + |
In osquery before version 4.6.0, by using sqlite's ATTACH verb, someone with administrative access to osquery can cause reads and writes to arbitrary sqlite databases on disk. This does allow arbitrary files to be created, but they will be sqlite databases. |
|
| References |
| + |
https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8 |
| + |
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#remote-command-execution-using-sqlite-command---load_extension |
| + |
https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c |
|
| Notes |
| + |
Workaround |
| + |
========== |
| + |
|
| + |
This issue can be mitigated by filtering for the ATTACH keyword or running osquery as a non-root user. |
|