Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Tuesday May 14 2019, @09:26PM   Printer-friendly
from the not-even-remotely-funny dept.

https://www.securityweek.com/remote-code-execution-vulnerability-impacts-sqlite

A use-after-free vulnerability in SQLite could be exploited by an attacker to remotely execute code on a vulnerable machine, Cisco Talos security researchers have discovered.

Tracked as CVE-2019-5018 and featuring a CVSS score of 8.1, the vulnerability resides in the window function functionality of Sqlite3 3.26.0 and 3.27.0.

To trigger the flaw, an attacker would need to send a specially crafted SQL command to the victim, which could allow them to execute code remotely.

The popular SQLite library, a client-side database management system, is widely used in mobile devices, browsers, hardware devices, and user applications, Talos notes.

SQLite implements the Window Functions feature of SQL, allowing queries over a subset, or "window," of rows, and the newly revealed vulnerability was found in the "window" function.

The security researchers discovered that, after the parsing of a SELECT statement that contains a window function, in certain conditions, the expression-list held by the SELECT object is rewritten and the master window object is used during the process.


Original Submission

Related Stories

SQLite: Past, Present, and Future 6 comments

Distributed computing researcher, Murat Demirbas, has written a blog post about what he sees as the past, present, and future of SQLite.

This paper, which appeared in VLDB'22 a couple weeks ago, delves into analytical data processing on SQLite, identifying key bottlenecks and implementing suitable solutions. As a result of the optimizations implemented, SQLite is now up to 4.2X faster on the Star Schema Benchmark (SSB). This is a sweet little paper (befitting SQLite's fame). It is technically easy to read yet very fulfilling.

The paper also has an important theme. Throughout the paper, we see time and again how SQLite benefits from its informative profiling utilities and aggressive testing to identify and implement optimizations quickly. Performance and correctness monitoring is a prime factor in development velocity. The ease of profiling SQLite's execution engine enabled the team to pinpoint which virtual instructions were responsible for the bottlenecks, and also to watchout for performance regression issues. Their extensive test suite (consisting of fuzz, boundary value, regression, I/O, out-of mem testing) allowed them to quickly integrate the optimizations into a release build without worrying of breaking other components of the library.

SQLite is a widely used, single-node, online transaction processing (OLTP) database useful in many situations where SQL is relevant yet Postgresql or MariaDB are too heavy.

Previously:
(2019) SELECT Code_execution FROM * USING SQLite: Eggheads Lift the Lid on DB Security Hi-jinks
(2019) Remote Code Execution Vulnerability Impacts SQLite


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 0) by Anonymous Coward on Tuesday May 14 2019, @09:48PM

    by Anonymous Coward on Tuesday May 14 2019, @09:48PM (#843610)

    It doesn't take a rocket surgeon to put a DSL client side and generate validated SQL server side. Don't expose your core processor, not even once!

  • (Score: 2) by krishnoid on Tuesday May 14 2019, @09:48PM (1 child)

    by krishnoid (1156) on Tuesday May 14 2019, @09:48PM (#843611)

    Don't a lot of Android (and maybe iOS) apps use sqlite behind the scenes for data storage? This seems like a lot of malicious applications could use this as an infection vector.

    • (Score: 0) by Anonymous Coward on Tuesday May 14 2019, @10:01PM

      by Anonymous Coward on Tuesday May 14 2019, @10:01PM (#843619)

      Not so bad either I don't know of any apps that execute network provided sql

  • (Score: 0) by Anonymous Coward on Tuesday May 14 2019, @10:21PM (1 child)

    by Anonymous Coward on Tuesday May 14 2019, @10:21PM (#843624)

    More and more things that "security researches discover" defy all sense to make a headline.

    • (Score: 3, Touché) by Anonymous Coward on Tuesday May 14 2019, @10:56PM

      by Anonymous Coward on Tuesday May 14 2019, @10:56PM (#843634)

      Well, considering "defy all sense" also describes the internals of most enterprise applications....

  • (Score: 2) by Bot on Wednesday May 15 2019, @12:31AM (2 children)

    by Bot (3902) on Wednesday May 15 2019, @12:31AM (#843651) Journal

    You darn atheists think that vulnerabilities arise from mistakes or malice while the programmer is working, but in fact they are like angels in heaven that sometimes come down to populate the software. This vulnerability was flying over sqlite and saw a place called "WINDOW" function. Thinking "I feel strangely attracted to this name", it gently landed there.

    --
    Account abandoned.
    • (Score: 0) by Anonymous Coward on Wednesday May 15 2019, @12:55AM

      by Anonymous Coward on Wednesday May 15 2019, @12:55AM (#843657)

      That explains why it evaded SQLite extensive testing :

      SQLite is very carefully tested prior to every release and has a reputation for being very reliable. Most of the SQLite source code is devoted purely to testing and verification. An automated test suite runs millions and millions of test cases involving hundreds of millions of individual SQL statements and achieves 100% branch test coverage. SQLite responds gracefully to memory allocation failures and disk I/O errors.

    • (Score: 2) by Freeman on Wednesday May 15 2019, @02:13PM

      by Freeman (732) on Wednesday May 15 2019, @02:13PM (#843824) Journal

      Just 'cause an angel appeared doesn't mean it came from heaven.

      --
      Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
  • (Score: 3, Insightful) by fyngyrz on Wednesday May 15 2019, @02:34PM (1 child)

    by fyngyrz (6567) on Wednesday May 15 2019, @02:34PM (#843833) Journal

    If your webapp or deskapp application code allows an attacker to "send specially crafted code to SqLite" then your code is broken at the script-kiddie level of competence.

    If you've exposed a DB engine in general, again, that's incompetent.

    If your system has been pwned some other way (or you are letting people use your system without vetting them carefully) and now the attacker can get directly at SqLite, you have much bigger problems than an SqLite vulnerability.

    Not saying these things are not a problem — we're inundated with people who are wielding that level of skill, or nearly.

    But WRT apps, if you're even moderately competent, you have scrubbed your data entirely clean for both non-alphanumeric characters and for length before it gets to the (any!) DB, and there's no chance whatsoever of it turning into some kind of command the DB will execute or error out on.

    Memory is cheap. Security is not. Scrubbing data is only one of quite a few basic security principles that should be in play when anything serious is being undertaken.

    What really gets me is that these people who cluelessly leave various and sundry doors open get hired while perfectly competent types are left job-hunting. With that in mind, when someone gets pwned by something of this type, I'm inclined to mutter "karma, bitches."

    --
    Use promo code "NETFLIX" to get 50% off your social life!

    • (Score: 0) by Anonymous Coward on Wednesday May 15 2019, @08:27PM

      by Anonymous Coward on Wednesday May 15 2019, @08:27PM (#843961)

      exactly. and big companies hire the most disgusting sub contractors just b/c some other dumb ass company hired them. fuck all the suited whores.

  • (Score: 0) by Anonymous Coward on Wednesday May 15 2019, @04:17PM

    by Anonymous Coward on Wednesday May 15 2019, @04:17PM (#843872)

    Vulnerability acknowledged, but you are using it wrong if a remote code execution is possible. Give me an example for using SQLite remotely.

(1)