Home>Blog>The Hacker News Headlines>22-Year-Old Vulnerability Reported in Widely Used SQLite Database Library
The Hacker News Headlines

22-Year-Old Vulnerability Reported in Widely Used SQLite Database Library

SQLite Database Vulnerability

A high-severity vulnerability has been disclosed in the SQLite
database library, which was introduced as part of a code change
dating all the way back to October 2000 and could enable attackers
to crash or control programs.

Tracked as CVE-2022-35737[1]
(CVSS score: 7.5), the 22-year-old issue affects SQLite versions
1.0.12[2]
through 3.39.1, and has been addressed in version 3.39.2[3]
released on July 21, 2022.

“CVE-2022-35737 is exploitable[4]
on 64-bit systems, and exploitability depends on how the program is
compiled,” Trail of Bits researcher Andreas Kellas said[5]
in a technical write-up published today.

“Arbitrary code execution is confirmed when the library is
compiled without stack canaries, but unconfirmed when stack
canaries are present, and denial-of-service is confirmed in all
cases.”

SQLite Database Vulnerability

Programmed in C, SQLite[6]
is the most widely used[7] database engine[8], included by default in
Android, iOS, Windows, and macOS, as well as popular web browsers
such as Google Chrome, Mozilla Firefox, and Apple Safari.

The vulnerability discovered by Trail of Bits concerns an
integer overflow bug[9]
that occurs when extremely large string inputs are passed as
parameters to the SQLite implementations of the printf
functions[10], which, in turn, make
use of another function to handle the string formatting (“sqlite3_str_vappendf[11]“).

CyberSecurity

However, a successful weaponization of the flaw banks on the
prerequisite that the string contains the %Q, %q, or %w
format substitution types[12], potentially leading to
a program crash when user-controlled data is written beyond the
bounds of a stack-allocated buffer.

“If the format string contains the ‘!’ special character to
enable unicode character scanning, then it is possible to achieve
arbitrary code execution in the worst case, or to cause the program
to hang and loop (nearly) indefinitely,” Kellas explained.

The vulnerability is also an example of a scenario that was once
deemed impractical decades ago — allocating 1GB strings as input
— rendered feasible with the advent of 64-bit computing[13] systems.

“It’s a bug that may not have seemed like an error at the time
that it was written (dating back to 2000 in the SQLite source code)
when systems were primarily 32-bit architectures,” Kellas said.

References

  1. ^
    CVE-2022-35737
    (nvd.nist.gov)
  2. ^
    1.0.12
    (www.sqlite.org)
  3. ^
    version
    3.39.2     (www.sqlite.org)
  4. ^
    exploitable
    (github.com)
  5. ^
    said
    (blog.trailofbits.com)
  6. ^
    SQLite
    (thenewstack.io)
  7. ^
    most widely used
    (www.sqlite.org)
  8. ^
    database engine
    (en.wikipedia.org)
  9. ^
    integer
    overflow bug     (cwe.mitre.org)
  10. ^
    printf
    functions     (www.sqlite.org)
  11. ^
    sqlite3_str_vappendf
    (www.sqlite.org)
  12. ^
    the
    %Q, %q, or %w format substitution types
    (www.sqlite.org)
  13. ^
    64-bit
    computing     (en.wikipedia.org)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.