Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/12/2019
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researchers Show How SQLite Can Be Modified to Attack Apps

New technique involves query hijacking to trigger a wide range of memory safety issues within the widely used database engine, Check Point says.

The near-ubiquitous presence of the SQLite database on desktop and mobile operating systems makes it an attractive target for attackers. However, efforts at finding and exploiting vulnerabilities in the database engine have focused mostly on WebSQL and the browser layer alone.

Researchers at Check Point Software Technologies have developed a new technique that shows how attackers can reliably trigger and exploit a wide range of memory safety issues in the SQLite engine using nothing other than the SQL language. It is the first research to show how SQL queries can be modified and used to execute malicious commands in applications that use SQLite to store data.

At the 2019 DEF CON hacker conference last week, researchers from Check Point demonstrated how someone could use the technique to bypass Apple's Secure Boot mechanism and gain administrative-level access and persistence on Apple's latest iPhones. They also demoed how to execute code remotely and take control of a server running PHP7 by infecting their own device with a password-stealing malware.

The research shows that querying a database may not be as safe as assumed, Check Point researcher Omer Gull said. "Defenders should now take into consideration the fact that simply querying a database might have disastrous consequences and act accordingly," Gull said. "Attackers can now leverage the use of SQLite database for their own malicious intent."

SQLite is by far the world's most widely deployed database engine, with many billions of copies in use currently. SQLite is embedded in every Android, iOS, and iPhone device; every Mac; every Windows 10 system; and every Chrome, Safari, and Firefox browser. The database is present in Skype, iTunes, Dropbox clients, smart TVs, set-top boxes, and multimedia systems.

Up to now, though — from a security standpoint, at least — SQLite has been examined only through the lens of Internet browsers, Gull noted. "However, this is just the tip of the iceberg," he said. Because of how widely SQLite is used, there are multiple other opportunities for exploiting it.

Check Point researchers decided to see whether they could find, and how they could exploit, memory corruption issues within SQLite using just SQL. The research showed it is possible for attackers to essentially hijack queries in an SQLite environment and inject code of their own into it to trigger errors or to execute malicious actions in applications reading the data.

Check Point found attackers could leverage these issues to gain administrative privileges, create a persistent backdoor, and execute code remotely. "We found several vulnerabilities within the most popular database engine in the world," Gull said. "Not only [did we uncover] those weaknesses but [we] also developed several techniques of exploitation."

Trusted and Untrusted SQL Input
The takeaway for the industry as a whole is that the boundaries of what constitutes trusted and untrusted SQL input need to be revisited, Check Point said.

At DEF CON last week, Check Point researchers demonstrated two real-life scenarios involving their technique. In the first scenario, the researchers deliberately infected their device with a password-stealing malware and then showed how they could execute code on the malware author's command and control servers to take over the crooks' systems.

The second demo focused on the iPhone iOS. By replacing a certain database on the device, the researchers were able to both gain administrative privileges and create a persistent backdoor capable of surviving across reboots. "These two capabilities bypass Apple's hard work on their sandbox and secure boot mitigations," Gull said.

Apple earlier this year issued patches against the vulnerabilities exploited (CVE-2019-8600, CVE-2019-8598, CVE-2019-8602, and CVE-2019-8577) in the SQLite attack that the Check Point researchers demonstrated last week.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-9501
PUBLISHED: 2019-10-22
The Artificial Intelligence theme before 1.2.4 for WordPress has XSS because Genericons HTML files are unnecessarily placed under the web root.
CVE-2019-16971
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.
CVE-2019-16972
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16973
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2015-9496
PUBLISHED: 2019-10-22
The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring.