https://www.securityweek.com/remote-code-execution-vulnerability-impacts-sqlite
A use-after-free vulnerability in SQLite could be exploited by an attacker to remotely execute code on a vulnerable machine, Cisco Talos security researchers have discovered.
Tracked as CVE-2019-5018 and featuring a CVSS score of 8.1, the vulnerability resides in the window function functionality of Sqlite3 3.26.0 and 3.27.0.
To trigger the flaw, an attacker would need to send a specially crafted SQL command to the victim, which could allow them to execute code remotely.
The popular SQLite library, a client-side database management system, is widely used in mobile devices, browsers, hardware devices, and user applications, Talos notes.
SQLite implements the Window Functions feature of SQL, allowing queries over a subset, or "window," of rows, and the newly revealed vulnerability was found in the "window" function.
The security researchers discovered that, after the parsing of a SELECT statement that contains a window function, in certain conditions, the expression-list held by the SELECT object is rewritten and the master window object is used during the process.
(Score: 3, Insightful) by fyngyrz on Wednesday May 15 2019, @02:34PM (1 child)
If your webapp or deskapp application code allows an attacker to "send specially crafted code to SqLite" then your code is broken at the script-kiddie level of competence.
If you've exposed a DB engine in general, again, that's incompetent.
If your system has been pwned some other way (or you are letting people use your system without vetting them carefully) and now the attacker can get directly at SqLite, you have much bigger problems than an SqLite vulnerability.
Not saying these things are not a problem — we're inundated with people who are wielding that level of skill, or nearly.
But WRT apps, if you're even moderately competent, you have scrubbed your data entirely clean for both non-alphanumeric characters and for length before it gets to the (any!) DB, and there's no chance whatsoever of it turning into some kind of command the DB will execute or error out on.
Memory is cheap. Security is not. Scrubbing data is only one of quite a few basic security principles that should be in play when anything serious is being undertaken.
What really gets me is that these people who cluelessly leave various and sundry doors open get hired while perfectly competent types are left job-hunting. With that in mind, when someone gets pwned by something of this type, I'm inclined to mutter "karma, bitches."
--
Use promo code "NETFLIX" to get 50% off your social life!
(Score: 0) by Anonymous Coward on Wednesday May 15 2019, @08:27PM
exactly. and big companies hire the most disgusting sub contractors just b/c some other dumb ass company hired them. fuck all the suited whores.