ClickHouse Command Execution Vulnerability via Executable Tables for Low-Privileged Users

A vulnerability in ClickHouse version 25.7.1.557 allows low-privileged users to execute shell commands by querying Executable() tables created by users with higher privileges. While the CREATE TABLE privilege is limited, there is no access control preventing low-privileged users from using existing Executable tables. If an attacker can modify the script referenced by the Executable() engine through writable paths, they could execute commands in the context of the ClickHouse server, potentially leading to privilege escalation and unauthorized code execution.

Impact

Exploitation of this vulnerability allows authenticated users with only SELECT privileges to execute arbitrary system commands through pre-existing Executable() tables, bypassing normal privilege restrictions. This could be used to escalate privileges or execute unauthorized code on the server.

Reproduction

To reproduce this vulnerability, first create a bash script that will be executed when the Exploitable table is queried. This script should be placed in a directory accessible to ClickHouse, such as '/var/lib/clickhouse/user_scripts/'. Next, as a privileged user, create a table using the Executable() engine that points to the script. After that, create a low-privileged user with SELECT rights. Finally, the low-privileged user can execute a SELECT query on the Executable table, triggering the execution of the script on the server.

Remediation

To address this vulnerability, restrict access to Executable() tables using granular GRANT controls, avoiding SELECT permissions on these tables for untrusted users. Additionally, monitor and audit access to the user_scripts directory and the usage of Executable() tables.