SQLBot Stored Prompt Injection Vulnerability Leading to Remote Code Execution

A stored prompt injection vulnerability has been identified in SQLBot versions through 1.5.0. This vulnerability allows authenticated users to upload malicious terminology via an Excel file, exploiting a missing permission check on the upload API. The vulnerability is compounded by the unsanitized storage of terminology descriptions, which can contain harmful payloads, and the absence of semantic fencing when these descriptions are injected into the large language model's system prompt. As a result, an attacker can manipulate the model's reasoning to generate malicious PostgreSQL commands, such as executing arbitrary system commands with 'postgres' user privileges, potentially leading to remote code execution on the database or application server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server hosting SQLBot or the PostgreSQL database, with 'postgres' user privileges. This could result in executing arbitrary commands, such as reverse shells, reading sensitive configuration files, or taking full control of the PostgreSQL database cluster.

Reproduction

To reproduce this vulnerability, upload a poisoned terminology file through the '/api/v1/system/terminology/uploadExcel' endpoint. After the file is uploaded, the injected payload can be executed by sending a request that triggers the malicious command, such as 'SYNC_DATA: touch /tmp/pwned'.

Remediation

Users are advised to upgrade SQLBot to version 1.6.0, where this vulnerability has been fixed.