Experts found a remote-code execution flaw in SQLite

Researchers at Cisco Talos discovered an use-after-free() vulnerability in SQLite that could be exploited by an attacker to remotely execute code on an affected device.

Cisco Talos experts discovered an use-after-free() flaw in
SQLite that could be exploited by an attacker to remotely execute code on an affected device. An attacker can trigger the flaw by sending a malicious SQL command to the vulnerable installs.

“An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution.” reads the analysis published by Cisco Talos. “An attacker can send a malicious SQL command to trigger this vulnerability.”

The flaw, tracked as CVE-2019-5018 affects SQLite 3.26.0, 3.27.0 and received CVSS 3.0 score 8.1.

SQLite is a C-language library that implements a small, fast, self-contained, high-reliability, full-featured, SQL database engine. SQLite is considered the most used database engine in the world, it is built into mobile phones and most computers and is used in countless other applications.

SQLite implements the Window Functions feature of SQL, after parsing a SELECT statement containing a window function, the SELECT statement is transformed using the sqlite3WindowRewrite function.

Experts discovered that the process implemented by SQLite to handle the functions includes reusing a deleted partition.

“Looking back at the original sqlite3WindowRewrite function, this deleted partition is reused after the rewrite of the expression list ” continues the analysis.

“After this partition is deleted, it is then reused in exprListAppendList [5], causing a use after free vulnerability, resulting in a denial of service. If an attacker can control this memory after the free, there is an opportunity to corrupt more data, potentially leading to code execution.”

Talos published technical details of the vulnerability that was addressed with the released of SQLite version 3.28,

Timeline for the vulnerability is:

2019-02-05 – Vendor Disclosure
2019-03-07 – 30 day follow up with vendor; awaiting moderator approval
2019-03-28 – Vendor patched
2019-05-09 – Public Release

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SQLite, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.