Pierluigi Paganini December 26, 2019

Google addressed a new set of vulnerabilities, dubbed Magellan 2.0, that could be exploited for remote code execution inside the Chrome browser.

Google has fixed five SQLite vulnerabilities, dubbed Magellan 2.0, that could be exploited by an attacker to remotely execute malicious code inside the Chrome browser.

The vulnerabilities were discovered by researchers from the Tencent Blade security team.

The issue is related to a feature called the WebSQL API that exposes Chrome users to remote attacks, it is enabled by default. The WebSQL API translates JavaScript code into SQL commands, which are then executed against Chrome’s SQLite database.

Exactly one year ago, the same team of experts disclosed a critical vulnerability in SQLite database software that exposed billions of vulnerable apps to hackers.

The vulnerability tracked as ‘Magellan‘ could allow remote attackers to execute arbitrary on vulnerable devices, leak program memory or cause dos condition with application crash.

SQLite is a widely adopted relational database management system contained in a C programming library. Unlike many other database management systems, SQLite is not a client–server database engine. Rather, it is embedded into the end program.

SQLite is used by millions of applications with billions of installs, Magellan potentially affects IoT devices, macOS and Windows apps.

The Magellan vulnerabilities are caused by improper input validation in SQL commands sent to the SQLite database from a third-party.

An attacker can use specially crafted SQL operations containing malicious code, when the SQLite database engine will read them SQLite operation, it will perform commands on behalf of the attacker.

“Magellan 2.0 is some vulnerabilities that exist in SQLite (Former was: Magellan 1.0 ). These vulnerabilities were found by Tencent Blade Team and verified to be able to exploit remote code execution in Chromium render process.” reads the advisory published by the experts. “As a well-known database, SQLite is widely used in all modern mainstream operating systems and softwares, so this vulnerability has a wide range of influence. SQLite and Google had confirmed and fixed these vulnerabilities.”

The flaws, tracked as CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752, CVE-2019-13753, could cause remote code execution, or could leak program memory or cause program crashes.

Any app using an SQLite database to store data is vulnerable if allows direct input of raw SQL commands.

Google Chrome uses an internal SQLite database to store various browser settings and user data.

Google addressed the five Magellan 2.0 vulnerabilities with the release of Google Chrome 79.0.3945.79.

The good news is that Tencent was not aware of any public exploit code for Magellan 2.0 or attacks in the wild exploiting the flaws. At the time of disclosing the flaws, the experts did not release details about them.

Vulnerabilities Timeline

• 16 Nov 2019 Reported to Google and SQLite.
• 16 Nov 2019 Vulnerabilities confirmed by Google.
• 27 Nov 2019 Google and SQLite fixed vulnerabilities.
• 27 Nov 2019 Tencent Blade Team provided a fuzzer to Google.
• 11 Dec 2019 Google released the official Chrome version 79.0.3945.79.
• 11 Dec 2019 CVE ID has been assigned as CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752, CVE-2019-13753.

Pierluigi Paganini

(SecurityAffairs – Magellan 2.0, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]