Sandbox Escape in Cockroachdb

Sandbox escape in Cockroachdb occurs when untrusted SQL input bypasses the database's query execution isolation, allowing attackers to execute arbitrary code or access data outside their intended permissions. This vulnerability is particularly dangerous in Cockroachdb's distributed architecture where nodes communicate and execute queries across the cluster.

The most common sandbox escape pattern in Cockroachdb involves SQL injection combined with the database's PL/pgSQL-like procedural language. Cockroachdb's implementation of stored procedures and user-defined functions can be exploited when user input is concatenated directly into dynamic SQL statements without proper sanitization.

CREATE OR REPLACE FUNCTION vulnerable_function(user_input STRING) RETURNS STRING AS $$ DECLARE result STRING; BEGIN EXECUTE format('SELECT %s', user_input) INTO result; RETURN result; END; $$ LANGUAGE plpgsql;

This function is vulnerable because the EXECUTE statement runs with elevated privileges, potentially allowing access to system catalogs or other databases. An attacker could craft input like:

pg_sleep(10) || (SELECT version() FROM crdb_internal.node_build_info)

The sandbox escape becomes more severe when combined with Cockroachdb's privilege system. The database's role-based access control can be bypassed if stored procedures execute with definer privileges rather than invoker privileges, a common misconfiguration in Cockroachdb deployments.

Another manifestation involves Cockroachdb's time travel queries. The AS OF SYSTEM TIME clause allows querying historical data, but when combined with user-controlled timestamps, it can lead to unauthorized data access across time boundaries:

SELECT * FROM users WHERE created_at = AS OF SYSTEM TIME user_provided_timestamp

Cockroachdb's distributed nature introduces additional sandbox escape vectors through its replication and consensus mechanisms. An attacker who gains control over a node could potentially manipulate raft logs or interfere with the distributed SQL execution, causing queries to be processed on unintended nodes.

The database's support for external connections and foreign data wrappers (FDWs) creates another sandbox escape path. If an attacker can control FDW configuration or connection strings, they might establish connections to external systems or internal services that should be inaccessible from the database context.

Detecting sandbox escape vulnerabilities in Cockroachdb requires understanding its specific execution model and security boundaries. The first step is identifying stored procedures and functions that use dynamic SQL with EXECUTE statements, particularly those that don't use parameterized queries.

middleBrick's API security scanner includes specialized checks for Cockroachdb sandbox escape patterns. When scanning a Cockroachdb endpoint, the scanner tests for SQL injection in stored procedure calls, dynamic SQL execution, and privilege escalation attempts. The scanner's black-box approach sends crafted payloads to identify vulnerable code paths without requiring database credentials.

middleBrick scan https://cockroachdb-endpoint.com --test=sql-injection --test=privilege-escalation

The scanner specifically looks for Cockroachdb's PL/pgSQL syntax patterns and tests for common sandbox escape techniques like time travel query manipulation, FDW abuse, and distributed query hijacking.

For code-based detection, Cockroachdb provides the EXPLAIN ANALYZE command with security annotations. You can identify potentially vulnerable procedures by examining their execution plans:

EXPLAIN (VERBOSE) SELECT * FROM vulnerable_function('malicious_input');

Look for procedures that use EXECUTE with concatenated strings, particularly those that access system catalogs or perform administrative operations. The crdb_internal schema contains functions that should be restricted to specific roles.

Monitoring tools can detect sandbox escape attempts by tracking unusual query patterns. Cockroachdb's built-in telemetry can alert on:

• Queries accessing crdb_internal tables from non-admin roles
• Unusual EXECUTE statement patterns
• Time travel queries with suspicious timestamps
• Foreign data wrapper connection attempts

Network-level detection is also important. Monitor for database nodes communicating with unexpected external services or internal services they shouldn't access. Cockroachdb's distributed architecture means sandbox escapes can manifest as unusual network traffic between nodes.

The database's audit logs provide another detection layer. Enable detailed logging for stored procedure execution and dynamic SQL statements to identify when EXECUTE is used with untrusted input. Look for patterns like:

2024-01-15 10:30:45.123 UTC [client=192.168.1.100] EXECUTE: SELECT * FROM sensitive_data WHERE id = 'malicious_input'

middleBrick's continuous monitoring feature can automatically scan your Cockroachdb instances on a schedule, alerting you when new sandbox escape vulnerabilities are detected as your schema or procedures evolve.

Remediating sandbox escape vulnerabilities in Cockroachdb requires a defense-in-depth approach that addresses both code-level issues and configuration problems. The primary remediation is eliminating dynamic SQL where possible and using parameterized queries instead.

For stored procedures that must use dynamic SQL, implement strict input validation and use the USING clause for parameters:

CREATE OR REPLACE FUNCTION secure_function(user_input STRING) RETURNS STRING AS $$ DECLARE result STRING; BEGIN EXECUTE format('SELECT data FROM table WHERE id = $1') USING user_input INTO result; RETURN result; END; $$ LANGUAGE plpgsql;

This approach ensures that user input is treated as data rather than executable SQL, preventing injection attacks that could lead to sandbox escape.

Privilege separation is critical in Cockroachdb. Create dedicated roles for different application components and ensure stored procedures execute with the minimum necessary privileges. Use the SECURITY INVOKER attribute instead of SECURITY DEFINER:

CREATE OR REPLACE FUNCTION secure_procedure() RETURNS VOID SECURITY INVOKER AS $$ BEGIN -- procedure logic END; $$ LANGUAGE plpgsql;

Security definer functions are a common source of sandbox escapes because they execute with the creator's privileges, potentially allowing users to bypass their own permission restrictions.

Implement strict input validation for any user-controlled data that might be used in SQL contexts. Cockroachdb provides built-in validation functions, but custom validation is often necessary:

CREATE OR REPLACE FUNCTION validate_timestamp(input STRING) RETURNS TIMESTAMPTZ AS $$ BEGIN IF input ~ '^\-?[0-9]+$' THEN -- numeric timestamp validation RETURN AS OF SYSTEM TIME input::INT8; ELSE -- reject invalid formats RAISE EXCEPTION 'Invalid timestamp format'; END IF; END; $$ LANGUAGE plpgsql;

For time travel queries, implement access controls that restrict AS OF SYSTEM TIME to specific, validated values rather than arbitrary user input.

Configure Cockroachdb's authentication and authorization to minimize attack surface. Disable unused features like FDWs if they're not needed, and restrict network access to database nodes. Use Cockroachdb's role-based access control to ensure users can only access the data and procedures they need.

Implement query timeouts and resource limits to mitigate the impact of successful sandbox escapes. Cockroachdb allows setting statement timeouts and memory limits:

SET statement_timeout = '10s'; SET max_memory_per_query = '100MB';

These limits prevent long-running queries that might be used for denial-of-service attacks or data exfiltration after a sandbox escape.

Regular security scanning is essential. Use middleBrick's CLI tool to scan your Cockroachdb instances as part of your deployment pipeline:

middlebrick scan cockroach://username:password@host:26257/defaultdb --test=sql-injection --test=privilege-escalation

Integrate this scanning into your CI/CD pipeline to catch sandbox escape vulnerabilities before they reach production. middleBrick's GitHub Action can automatically fail builds when security issues are detected.

Keep Cockroachdb updated with the latest security patches. The database's developers regularly fix sandbox escape vulnerabilities, and running outdated versions leaves you exposed to known exploits.

Finally, implement comprehensive logging and monitoring. Track EXECUTE statements, privilege escalations, and unusual query patterns. Set up alerts for suspicious activity that might indicate sandbox escape attempts.