Another remote-code execution hole in top database engine SQLite: How it works, and why not to totally freak out
You know the drill: Patch and stop using C
Cisco Talos researchers have uncovered an SQLite use-after-free() vulnerability that could allow an attacker to, in theory, remotely execute code on an affected device.
"An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0," said Talos in a blog post describing the vuln, provisionally allocated CVE-2019-5018.
An open-source project, SQLite's maintainers describe it as "the most used database engine in the world."
SQLite implements SQL's Window Functions, and Talos researcher Cory Duplantis found that the way SQLite handles the functions includes reusing a deleted partition.
As he noted: "After this partition is deleted, it is then reused in exprListAppendList, causing a use after free vulnerability, resulting in a denial of service. If an attacker can control this memory after the free, there is an opportunity to corrupt more data, potentially leading to code execution.”
Talos published a walkthrough, complete with examples of code highlighting precisely what the vuln is and how it exists. The fix is easy, up to a point: update your project or product to SQLite version 3.28, available on the SQLite website – and then roll out the fix to your end users.
Now, it sounds scary but the key thing here is that an attacker would have to execute carefully crafted SQL commands on the vulnerable engine to get code execution on the underlying host system.
Typically, users and miscreants aren't allowed to run arbitrary SQL commands as that would mean they could potentially do far more damage, such as delete data or access information belonging to other users. If an attacker can inject or run their own SQL commands on a database, then it's probably game over already for your application and data.
What this all really means is that if an application has an SQL injection security hole in it, it can be exploited in conjunction with this latest SQLite vulnerability to run arbitrary malicious code, such as malware, on the underlying computer or device. It would allow a hacker to jump from SQL injection to code execution.
It, realistically, requires the combination of an SQL injection flaw with this latest engine bug to do scary damage. So don't panic, systems aren't going to be pwned all over the world, but do patch if you can, because you don't want potentially exploited vulnerabilities lingering in your kit.
Late last year, Tencent researchers spotted an SQLite vuln that could have been abused to inject malware into vulnerable systems, as we reported at the time. That one relied on memory corruption to create the conditions for arbitrary code execution, though the key vector was ordinary users being granted the privs to execute SQL commands.
Less recently, SQLite creator Dwayne Richard Hipp talked to El Reg about the project's unabashedly Christian code of conduct. ®