Title
#general
s

sanjaykcse

08/28/2020, 1:06 PM
OSqueryd (daemon) is based on SQLite and executes on node with root privilege Have osquery binaries been evaluated for SQL injection kind of attacks ? I understand it fetches data from virtual database , any possibility of dropping binaries and gaining root shell ( common pattern of SQL injection attacks ) ?
zwass

zwass

08/28/2020, 3:56 PM
Yes, some vulnerabilities have been found in the past: https://github.com/osquery/osquery/security/advisories?state=published
sundsta

sundsta

08/28/2020, 4:36 PM
Also, it doesn’t need to run as root if you’re on Linux if you aren’t using evented tables
zwass

zwass

08/28/2020, 4:37 PM
It doesn't necessarily need to run as root on any system, but the capabilities will be limited based on the capabilities of the user.
sundsta

sundsta

08/28/2020, 4:39 PM
Correct, it’s just much easier on Linux using capabilities (specifically CAP_DAC_READ_SEARCH)
zwass

zwass

08/28/2020, 4:41 PM
Oh, interesting. I'd love to read a blog or any content to learn more about this!
sundsta

sundsta

08/28/2020, 4:43 PM
Well, it’s not exactly a blog post but you can probably get the general idea from my issue https://github.com/osquery/osquery/issues/6121 and the man pages https://man7.org/linux/man-pages/man7/capabilities.7.html
s

seph

08/28/2020, 7:16 PM
Generally speaking, one does not expose osquery to untrusted parties. So sql injection isn’t the highest risk.
7:17 PM
To be able to execute sql inside osquery, you implicitly have access to osquery. Which generally is presenting a lot of information already. Granted, not the same as being able to write in a root context.