Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/12/2019
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researchers Show How SQLite Can Be Modified to Attack Apps

New technique involves query hijacking to trigger a wide range of memory safety issues within the widely used database engine, Check Point says.

The near-ubiquitous presence of the SQLite database on desktop and mobile operating systems makes it an attractive target for attackers. However, efforts at finding and exploiting vulnerabilities in the database engine have focused mostly on WebSQL and the browser layer alone.

Researchers at Check Point Software Technologies have developed a new technique that shows how attackers can reliably trigger and exploit a wide range of memory safety issues in the SQLite engine using nothing other than the SQL language. It is the first research to show how SQL queries can be modified and used to execute malicious commands in applications that use SQLite to store data.

At the 2019 DEF CON hacker conference last week, researchers from Check Point demonstrated how someone could use the technique to bypass Apple's Secure Boot mechanism and gain administrative-level access and persistence on Apple's latest iPhones. They also demoed how to execute code remotely and take control of a server running PHP7 by infecting their own device with a password-stealing malware.

The research shows that querying a database may not be as safe as assumed, Check Point researcher Omer Gull said. "Defenders should now take into consideration the fact that simply querying a database might have disastrous consequences and act accordingly," Gull said. "Attackers can now leverage the use of SQLite database for their own malicious intent."

SQLite is by far the world's most widely deployed database engine, with many billions of copies in use currently. SQLite is embedded in every Android, iOS, and iPhone device; every Mac; every Windows 10 system; and every Chrome, Safari, and Firefox browser. The database is present in Skype, iTunes, Dropbox clients, smart TVs, set-top boxes, and multimedia systems.

Up to now, though — from a security standpoint, at least — SQLite has been examined only through the lens of Internet browsers, Gull noted. "However, this is just the tip of the iceberg," he said. Because of how widely SQLite is used, there are multiple other opportunities for exploiting it.

Check Point researchers decided to see whether they could find, and how they could exploit, memory corruption issues within SQLite using just SQL. The research showed it is possible for attackers to essentially hijack queries in an SQLite environment and inject code of their own into it to trigger errors or to execute malicious actions in applications reading the data.

Check Point found attackers could leverage these issues to gain administrative privileges, create a persistent backdoor, and execute code remotely. "We found several vulnerabilities within the most popular database engine in the world," Gull said. "Not only [did we uncover] those weaknesses but [we] also developed several techniques of exploitation."

Trusted and Untrusted SQL Input
The takeaway for the industry as a whole is that the boundaries of what constitutes trusted and untrusted SQL input need to be revisited, Check Point said.

At DEF CON last week, Check Point researchers demonstrated two real-life scenarios involving their technique. In the first scenario, the researchers deliberately infected their device with a password-stealing malware and then showed how they could execute code on the malware author's command and control servers to take over the crooks' systems.

The second demo focused on the iPhone iOS. By replacing a certain database on the device, the researchers were able to both gain administrative privileges and create a persistent backdoor capable of surviving across reboots. "These two capabilities bypass Apple's hard work on their sandbox and secure boot mitigations," Gull said.

Apple earlier this year issued patches against the vulnerabilities exploited (CVE-2019-8600, CVE-2019-8598, CVE-2019-8602, and CVE-2019-8577) in the SQLite attack that the Check Point researchers demonstrated last week.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19698
PUBLISHED: 2019-12-10
marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav_content_read() at libwav.c.
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.