Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/12/2019
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researchers Show How SQLite Can Be Modified to Attack Apps

New technique involves query hijacking to trigger a wide range of memory safety issues within the widely used database engine, Check Point says.

The near-ubiquitous presence of the SQLite database on desktop and mobile operating systems makes it an attractive target for attackers. However, efforts at finding and exploiting vulnerabilities in the database engine have focused mostly on WebSQL and the browser layer alone.

Researchers at Check Point Software Technologies have developed a new technique that shows how attackers can reliably trigger and exploit a wide range of memory safety issues in the SQLite engine using nothing other than the SQL language. It is the first research to show how SQL queries can be modified and used to execute malicious commands in applications that use SQLite to store data.

At the 2019 DEF CON hacker conference last week, researchers from Check Point demonstrated how someone could use the technique to bypass Apple's Secure Boot mechanism and gain administrative-level access and persistence on Apple's latest iPhones. They also demoed how to execute code remotely and take control of a server running PHP7 by infecting their own device with a password-stealing malware.

The research shows that querying a database may not be as safe as assumed, Check Point researcher Omer Gull said. "Defenders should now take into consideration the fact that simply querying a database might have disastrous consequences and act accordingly," Gull said. "Attackers can now leverage the use of SQLite database for their own malicious intent."

SQLite is by far the world's most widely deployed database engine, with many billions of copies in use currently. SQLite is embedded in every Android, iOS, and iPhone device; every Mac; every Windows 10 system; and every Chrome, Safari, and Firefox browser. The database is present in Skype, iTunes, Dropbox clients, smart TVs, set-top boxes, and multimedia systems.

Up to now, though — from a security standpoint, at least — SQLite has been examined only through the lens of Internet browsers, Gull noted. "However, this is just the tip of the iceberg," he said. Because of how widely SQLite is used, there are multiple other opportunities for exploiting it.

Check Point researchers decided to see whether they could find, and how they could exploit, memory corruption issues within SQLite using just SQL. The research showed it is possible for attackers to essentially hijack queries in an SQLite environment and inject code of their own into it to trigger errors or to execute malicious actions in applications reading the data.

Check Point found attackers could leverage these issues to gain administrative privileges, create a persistent backdoor, and execute code remotely. "We found several vulnerabilities within the most popular database engine in the world," Gull said. "Not only [did we uncover] those weaknesses but [we] also developed several techniques of exploitation."

Trusted and Untrusted SQL Input
The takeaway for the industry as a whole is that the boundaries of what constitutes trusted and untrusted SQL input need to be revisited, Check Point said.

At DEF CON last week, Check Point researchers demonstrated two real-life scenarios involving their technique. In the first scenario, the researchers deliberately infected their device with a password-stealing malware and then showed how they could execute code on the malware author's command and control servers to take over the crooks' systems.

The second demo focused on the iPhone iOS. By replacing a certain database on the device, the researchers were able to both gain administrative privileges and create a persistent backdoor capable of surviving across reboots. "These two capabilities bypass Apple's hard work on their sandbox and secure boot mitigations," Gull said.

Apple earlier this year issued patches against the vulnerabilities exploited (CVE-2019-8600, CVE-2019-8598, CVE-2019-8602, and CVE-2019-8577) in the SQLite attack that the Check Point researchers demonstrated last week.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16632
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
CVE-2021-32073
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.