Experts found a remote-code execution flaw in SQLite

Researchers at Cisco Talos discovered an use-after-free() vulnerability in SQLite that could be exploited by an attacker to remotely execute code on an affected device.

Cisco Talos experts discovered an use-after-free() flaw in
SQLite that could be exploited by an attacker to remotely execute code on an affected device. An attacker can trigger the flaw by sending a malicious SQL command to the vulnerable installs.

“An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution.” reads the analysis published by Cisco Talos. “An attacker can send a malicious SQL command to trigger this vulnerability.”

The flaw, tracked as CVE-2019-5018 affects SQLite 3.26.0, 3.27.0 and received CVSS 3.0 score 8.1.

SQLite is a C-language library that implements a small, fast, self-contained, high-reliability, full-featured, SQL database engine. SQLite is considered the most used database engine in the world, it is built into mobile phones and most computers and is used in countless other applications.

SQLite implements the Window Functions feature of SQL, after parsing a SELECT statement containing a window function, the SELECT statement is transformed using the sqlite3WindowRewrite function.

Experts discovered that the process implemented by SQLite to handle the functions includes reusing a deleted partition.

“Looking back at the original sqlite3WindowRewrite function, this deleted partition is reused after the rewrite of the expression list ” continues the analysis.

“After this partition is deleted, it is then reused in exprListAppendList [5], causing a use after free vulnerability, resulting in a denial of service. If an attacker can control this memory after the free, there is an opportunity to corrupt more data, potentially leading to code execution.”

Talos published technical details of the vulnerability that was addressed with the released of SQLite version 3.28,

Timeline for the vulnerability is:

2019-02-05 – Vendor Disclosure
2019-03-07 – 30 day follow up with vendor; awaiting moderator approval
2019-03-28 – Vendor patched
2019-05-09 – Public Release

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SQLite, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]