Query that no longer works

8 views
Skip to first unread message

martinl...@gmail.com

unread,
Dec 19, 2021, 10:08:10 PM12/19/21
to velociraptor-discuss
Hi,

We have code that uses this query:

SELECT * FROM execve(argv=['rm', '-rf', get(item=file_store(path='/clients/<client_id>/monitoring'), member='0')])

that used to work but now the "get(item=file_store(path='/clients/<client_id>/monitoring'), member='0')" query evaluates to Null. When I run the  file_store(path='/clients/<client_id>/monitoring') query  manually I get this:

[{"file_store(path='/clients/')": '/opt/velociraptor/0.6.2/clients'}]

I checked the doco and the syntax for get is as expected, so I would have thought that the query should return {"file_store(path='/clients/')": '/opt/velociraptor/0.6.2/clients'} as item zero in the list instead of Null.

Can you please let me know what I am missing? The doco says that file_store may stop working in the future, is that what has happened?

Thanks,
Martin.


Mike Cohen

unread,
Dec 19, 2021, 11:02:59 PM12/19/21
to martinl...@gmail.com, velociraptor-discuss
Hi Martin,
   The file_store() function converts from an agnostic file store path to a physical path on disk. Normally you dont specify the filestore paths as a string as they come from various other plugins (e.g. enumerate_flow()) but you can specify it as a string in the way you are if you want.

As a VQL function it takes one string parameter and returns one string - so the code get(item=file_store(path='/clients/<client_id>/monitoring'), member='0')" will try to read the 0th item in a list, which it is not a list - hence why it returns NULL


This should be enough
SELECT * FROM execve(argv=['rm', '-rf', file_store(path='/clients/<client_id>/monitoring')])

Note that file_store itself does not do any verification that it is a valid directory or path and that it lies within the file store - your query can be very dangerous if someone can specify client_id as for example "../../../../"

Maybe you also need to sanitize the client id to ensure it is a valid client first.

Thanks
Mike




Mike Cohen 
Digital Paleontologist, 
Velocidex Enterprises
M  ‭+61 470 238 491‬ 
mi...@velocidex.com 


--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/bd2f3428-7796-4cd7-8fe2-e6f33be09807n%40googlegroups.com.

Mike Cohen

unread,
Dec 19, 2021, 11:39:33 PM12/19/21
to martinl...@gmail.com, velociraptor-discuss
It seems I was wrong - the file_store() function does in fact sanitize the path properly and also escapes invalid characters according to the filestore path rules. .. sequences are ignored and invalid characters (and unicode) are % escaped safely.

Windows_Active.png

Mike Cohen 
Digital Paleontologist, 
Velocidex Enterprises
M  ‭+61 470 238 491‬ 
mi...@velocidex.com 

Reply all
Reply to author
Forward
0 new messages