Skip to content
/ database_test Public template
forked from duckdb/extension-template

Template for DuckDB extensions to help you develop, test and deploy a custom extension

License

Notifications You must be signed in to change notification settings

Tu0Laj1/database_test

 
 

Repository files navigation

Summary

In the DuckDB database, there is a feature for writing custom extensions. Attackers can write a custom extension containing malicious commands based on the DuckDB extension template(https://github.com/duckdb/extension-template). While compiling this malicious extension, a duckdb binary program containing this malicious extension will also be generated. Attackers can replace the normal duckdb program on the victim's machine with this malicious extension. When the victim starts this malicious duckdb program and executes a specific SQL statement, the malicious command will be triggered.

Impact

https://github.com/duckdb/duckdb,<=0.9.2

Install vcpkg

git clone https://github.com/Microsoft/vcpkg.git
./vcpkg/bootstrap-vcpkg.sh
export VCPKG_TOOLCHAIN_PATH=`pwd`/vcpkg/scripts/buildsystems/vcpkg.cmake

Clone the malicious extension

git clone --recurse-submodules https://github.com/Tu0Laj1/database_test.git
cd database_test

Modify file

Modify src/quark_extension.cpp,modify the file content to a custom malicious command,and modify the extension function name

vim src/quack_extension.cpp
企业微信截图_17032404145324

Build the malicious extension

Now to build the malicious extension, run:

make

Running the malicious duckdb

/database_test/build/release/duckdb, a malicious duckdb containing malicious extension programs, can be copied and run on any machine. Attackers can replace the victim's normal duckdb with this malicious duckdb

cd database_test
./build/release/duckdb

Running the malicious extension

When the victim runs a malicious duckdb and the executed SQL statement contains the function name defined by the attacker, the malicious command will be executed. (Why did I choose 'database'? Because 'database/databases' is a function included in many other databases, but it is not available in duckdb, so the probability of victims mistakenly triggering malicious commands will be increased.)

select database();
企业微信截图_1703465596446

Of course, when you place this duckdb containing malicious extensions on a Linux host to run, you may need to install additional dependency components, such as GLIBC, etc

About

Template for DuckDB extensions to help you develop, test and deploy a custom extension

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Makefile 31.8%
  • Python 21.0%
  • Shell 19.4%
  • C++ 15.8%
  • CMake 6.1%
  • JavaScript 5.9%