In the DuckDB database, there is a feature for writing custom extensions. Attackers can write a custom extension containing malicious commands based on the DuckDB extension template(https://github.com/duckdb/extension-template). While compiling this malicious extension, a duckdb binary program containing this malicious extension will also be generated. Attackers can replace the normal duckdb program on the victim's machine with this malicious extension. When the victim starts this malicious duckdb program and executes a specific SQL statement, the malicious command will be triggered.
https://github.com/duckdb/duckdb,<=0.9.2
git clone https://github.com/Microsoft/vcpkg.git
./vcpkg/bootstrap-vcpkg.sh
export VCPKG_TOOLCHAIN_PATH=`pwd`/vcpkg/scripts/buildsystems/vcpkg.cmake
git clone --recurse-submodules https://github.com/Tu0Laj1/database_test.git
cd database_test
Modify src/quark_extension.cpp,modify the file content to a custom malicious command,and modify the extension function name
vim src/quack_extension.cpp
Now to build the malicious extension, run:
make
/database_test/build/release/duckdb, a malicious duckdb containing malicious extension programs, can be copied and run on any machine. Attackers can replace the victim's normal duckdb with this malicious duckdb
cd database_test
./build/release/duckdb
When the victim runs a malicious duckdb and the executed SQL statement contains the function name defined by the attacker, the malicious command will be executed. (Why did I choose 'database'? Because 'database/databases' is a function included in many other databases, but it is not available in duckdb, so the probability of victims mistakenly triggering malicious commands will be increased.)
select database();
Of course, when you place this duckdb containing malicious extensions on a Linux host to run, you may need to install additional dependency components, such as GLIBC, etc