In osquery before version 4.6.0, by using sqlite's ATTACH verb, someone with administrative access to osquery can cause reads and writes to arbitrary sqlite databases on disk. This does allow arbitrary files to be created, but they will be sqlite databases.
In osquery before version 4.6.0, by using sqlite's ATTACH verb, someone with administrative access to osquery can cause reads and writes to arbitrary sqlite databases on disk. This does allow arbitrary files to be created, but they will be sqlite databases.
https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8 https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#remote-command-execution-using-sqlite-command---load_extension https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c
Workaround ========== This issue can be mitigated by filtering for the ATTACH keyword or running osquery as a non-root user.