Many Birds, One Stone: Exploiting a Single SQLite Vulnerability Across Multiple Software

Presented at Black Hat USA 2017, July 26, 2017, 11:15 a.m. (50 minutes)

SQLite is widely used as embedded database software for local/client storage in application software, such as web browsers and mobile applications. As a relational database, SQLite is vulnerable to SQL injection attack, which has been well-studied for a long time. Memory corruption bugs in SQLite are usually not considered security issues, since they are normally unlikely to be exploitable. In this talk, we will study several remotely exploitable memory corruption cases to show the dangerous attack surface in SQLite. The journey of SQLite exploitation starts with Web SQL. Web SQL Database is a web page API for storing data in databases that can be queried using SQL language. Although W3C working group has ceased working on the specification since 2010, many modern browsers including Google Chrome, Apple Safari and Opera have an implementation based on SQLite as the backend for years. We will go through several previous issues of SQLite and discuss how they affect the browsers and how they have been fixed. Also, we will present new vulnerabilities in SQLite that we used to compromise Apple Safari in Pwn2Own 2017. The new bugs exist in all browsers that support Web SQL Database, including browser components Android WebView and iOS UIWebView widely used in mobile applications. We will demonstrate our exploit against multiple browser targets from multiple platforms to show the impact of a single SQLite vulnerability. Many programming languages have a support of SQLite API bindings such as PHP, Lua and Java. Memory corruption bugs of SQLite may also affect security features of these programming languages. We will show SQLite exploitation in PHP SQLite extension to bypass PHP security restrictions, as an example.

Presenters:

• Kun Yang - Chief Security Researcher, Beijing Chaitin Tech Co. Ltd.
  Kun Yang is Chief Security Researcher at Chaitin Tech(@ChaitinTech). He is leading Chaitin Security Research Lab, who pwned Safari, Firefox, macOS and Ubuntu in Pwn2Own 2017. His research interests include vulnerability discovery and binary exploitation. He also plays CTFs as a member of blue-lotus and b1o0p, and has won the second place in DEFCON CTF 2016.
• Siji Feng - Senior Security Researcher, Beijing Chaitin Tech Co. Ltd.
  Siji Feng(a.k.a. Slipper) is a senior security researcher at Chaitin Tech(@ChaitinTech). He was the leader of CTF team 0ops.
• Zhi Zhou - Senior Security Researcher, Beijing Chaitin Tech Co. Ltd.
  Zhi Zhou is a senior security researcher at Chaitin Tech(@ChaitinTech). His research interests include vulnerability discovery, mobile app security and binary exploitation.

Links:

• https://www.blackhat.com/us-17/briefings/schedule/#many-birds-one-stone-exploiting-a-single-sqlite-vulnerability-across-multiple-software-7024
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2017/Exploiting a Single SQLite Vulnerability Across Multiple Software.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2017/Exploiting a Single SQLite Vulnerability Across Multiple Software.en.transcribed.srt (subtitles)
• https://www.youtube.com/watch?v=Kqv8S1BQYwE
• https://www.blackhat.com/docs/us-17/wednesday/us-17-Feng-Many-Birds-One-Stone-Exploiting-A-Single-SQLite-Vulnerability-Across-Multiple-Software.pdf

Similar Presentations:

• DEF CON 27 (2019) / Breaking Google Home: Exploit It with SQLite(Magellan)
• DEF CON 27 (2019) / SELECT code_execution FROM * USING SQLite;-Gaining code execution using a malicious SQLite database
• Black Hat USA 2019 / Exploring the New World : Remote Exploitation of SQLite and Curl