Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/12/2019
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researchers Show How SQLite Can Be Modified to Attack Apps

New technique involves query hijacking to trigger a wide range of memory safety issues within the widely used database engine, Check Point says.

The near-ubiquitous presence of the SQLite database on desktop and mobile operating systems makes it an attractive target for attackers. However, efforts at finding and exploiting vulnerabilities in the database engine have focused mostly on WebSQL and the browser layer alone.

Researchers at Check Point Software Technologies have developed a new technique that shows how attackers can reliably trigger and exploit a wide range of memory safety issues in the SQLite engine using nothing other than the SQL language. It is the first research to show how SQL queries can be modified and used to execute malicious commands in applications that use SQLite to store data.

At the 2019 DEF CON hacker conference last week, researchers from Check Point demonstrated how someone could use the technique to bypass Apple's Secure Boot mechanism and gain administrative-level access and persistence on Apple's latest iPhones. They also demoed how to execute code remotely and take control of a server running PHP7 by infecting their own device with a password-stealing malware.

The research shows that querying a database may not be as safe as assumed, Check Point researcher Omer Gull said. "Defenders should now take into consideration the fact that simply querying a database might have disastrous consequences and act accordingly," Gull said. "Attackers can now leverage the use of SQLite database for their own malicious intent."

SQLite is by far the world's most widely deployed database engine, with many billions of copies in use currently. SQLite is embedded in every Android, iOS, and iPhone device; every Mac; every Windows 10 system; and every Chrome, Safari, and Firefox browser. The database is present in Skype, iTunes, Dropbox clients, smart TVs, set-top boxes, and multimedia systems.

Up to now, though — from a security standpoint, at least — SQLite has been examined only through the lens of Internet browsers, Gull noted. "However, this is just the tip of the iceberg," he said. Because of how widely SQLite is used, there are multiple other opportunities for exploiting it.

Check Point researchers decided to see whether they could find, and how they could exploit, memory corruption issues within SQLite using just SQL. The research showed it is possible for attackers to essentially hijack queries in an SQLite environment and inject code of their own into it to trigger errors or to execute malicious actions in applications reading the data.

Check Point found attackers could leverage these issues to gain administrative privileges, create a persistent backdoor, and execute code remotely. "We found several vulnerabilities within the most popular database engine in the world," Gull said. "Not only [did we uncover] those weaknesses but [we] also developed several techniques of exploitation."

Trusted and Untrusted SQL Input
The takeaway for the industry as a whole is that the boundaries of what constitutes trusted and untrusted SQL input need to be revisited, Check Point said.

At DEF CON last week, Check Point researchers demonstrated two real-life scenarios involving their technique. In the first scenario, the researchers deliberately infected their device with a password-stealing malware and then showed how they could execute code on the malware author's command and control servers to take over the crooks' systems.

The second demo focused on the iPhone iOS. By replacing a certain database on the device, the researchers were able to both gain administrative privileges and create a persistent backdoor capable of surviving across reboots. "These two capabilities bypass Apple's hard work on their sandbox and secure boot mitigations," Gull said.

Apple earlier this year issued patches against the vulnerabilities exploited (CVE-2019-8600, CVE-2019-8598, CVE-2019-8602, and CVE-2019-8577) in the SQLite attack that the Check Point researchers demonstrated last week.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-2916
PUBLISHED: 2019-11-15
qtnx 0.9 stores non-custom SSH keys in a world-readable configuration file. If a user has a world-readable or world-executable home directory, another local system user could obtain the private key used to connect to remote NX sessions.
CVE-2019-12757
PUBLISHED: 2019-11-15
Symantec Endpoint Protection (SEP), prior to 14.2 RU2 & 12.1 RU6 MP10 and Symantec Endpoint Protection Small Business Edition (SEP SBE) prior to 12.1 RU6 MP10d (12.1.7510.7002), may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt t...
CVE-2019-12758
PUBLISHED: 2019-11-15
Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to an unsigned code execution vulnerability, which may allow an individual to execute code without a resident proper digital signature.
CVE-2019-12759
PUBLISHED: 2019-11-15
Symantec Endpoint Protection Manager (SEPM) and Symantec Mail Security for MS Exchange (SMSMSE), prior to versions 14.2 RU2 and 7.5.x respectively, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software applicat...
CVE-2019-18372
PUBLISHED: 2019-11-15
Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.