https://github.com/osquery/osquery logo
Title
s

sanjaykcse

08/28/2020, 1:06 PM
OSqueryd (daemon) is based on SQLite and executes on node with root privilege Have osquery binaries been evaluated for SQL injection kind of attacks ? I understand it fetches data from virtual database , any possibility of dropping binaries and gaining root shell ( common pattern of SQL injection attacks ) ?
z

zwass

08/28/2020, 3:56 PM
Yes, some vulnerabilities have been found in the past: https://github.com/osquery/osquery/security/advisories?state=published
👍 1
s

sundsta

08/28/2020, 4:36 PM
Also, it doesn’t need to run as root if you’re on Linux if you aren’t using evented tables
z

zwass

08/28/2020, 4:37 PM
It doesn't necessarily need to run as root on any system, but the capabilities will be limited based on the capabilities of the user.
👍 1
s

sundsta

08/28/2020, 4:39 PM
Correct, it’s just much easier on Linux using capabilities (specifically CAP_DAC_READ_SEARCH)
z

zwass

08/28/2020, 4:41 PM
Oh, interesting. I'd love to read a blog or any content to learn more about this!
s

sundsta

08/28/2020, 4:43 PM
Well, it’s not exactly a blog post but you can probably get the general idea from my issue https://github.com/osquery/osquery/issues/6121 and the man pages https://man7.org/linux/man-pages/man7/capabilities.7.html
👍 1
s

seph

08/28/2020, 7:16 PM
Generally speaking, one does not expose osquery to untrusted parties. So sql injection isn’t the highest risk.
To be able to execute sql inside osquery, you implicitly have access to osquery. Which generally is presenting a lot of information already. Granted, not the same as being able to write in a root context.