Magellan error: Buffer overrun or world expedition using SQLite FTS

    Somehow bypassed the recent Magellan error and related vulnerabilities on Habré , I will try to correct this omission.

    A bit of history

    • On November 1, 2018 a bug report number 900910 flew to Chromium: "Multiple issues in SQLite via WebSQL." An error reported by the Wenxiang Qian of the Tencent Blade Team.
    • On November 5, 2018, the error is closed in the core of the SQLite library (FTS3), where it actually lives almost since the creation of the module, i.e. since November of 2009.
    • November 28, 2018 it merges into Chromium
    • A little later, Tencent Blade Team publishes an error message, giving it the name Magellan, especially without disclosing details, and indicating that the publication of ready-made exploits and PoC is not planned yet.
    • A week later, the Internet is full of PoC, cracking Chrome, Electron dev-framework, etc. There is still no evidence and any other information that the vulnerability was used for malicious purposes.
    • DRH , confirmed the suspicion of Hacker News that the vulnerability exists (at least if the execution of a "foreign" SQL query, or SQL Injection of such a script is allowed).

    What could be affected?

    Potentially, all devices and programs using SQLite (with FTS enabled) or using or based on applications (such as Chromium). The extent to which they can be affected and the effect of a possible “defeat” depend on whether a suitable attack vector has been found.

    A little more about Magellan SQLite BUG

    The error is related to the overflow of the sum of integers aka integer overflow , which can be caused in the FTS3 / 4 subsystem by changing the FTS index of the table, which in turn can lead to memory rewriting or completion with an exception.

    Targeted artificial use of this integer overflow, through proper "trimming" of write buffers, leads to memory overflow, and can be used in the future by specially created SQL queries.

    As a result, in theory, many applications using SQLite (with virtual FTS tables), and in particular, popular browsers that support SQLite-based WebSQL with FTS enabled (for example, Google Chrome, Chromium, Opera, Slimjet Browser, SRWare Iron, Torch, Comodo Dragon, CoolNovo, Yandex Browser, Vivaldi, etc.).

    SQLite databases are generally very popular, are provided by means of more than a dozen programming languages, toolchain, frameworks, etc., are used by applications for both mobile devices and full-fledged computers, and are often found even in server solutions. For example, data in this format is stored in popular web browsers, such as Google Chrome, Mozilla Firefox and Yandex Browser, many instant messengers (for example, WhatsApp, Viber, WeChat and others), etc. etc.

    The same Fossil SCM , for example, uses the SQLite database to store revision history and allows you to use full-text indexing via FTS (and provides access to it from the UI / web snout, for example, you can create your own SQL queries, for example, custom ticket reports etc.).

    Update: DRH, being part-time co-author and developer of Fossil, apparently thought about the same thing, and already “ closed the hole ” with updating SQLite to 3.26.0

    Such a “predictable” overflow is not a very pleasant thing in itself, but if you remember what exactly can be stored in the bank itself (from the contents of the logs to the actual tables) ...
    So, comrades are not lazy ..., and are updated, updated.

    Where to get fix?

    The fix [940f2adc8541a838] is provided as part of the SQLite 3.25.3 update (to which Chromium and Co. have also been updated, for example, Chrome in version 71.0.3578.80).

    SQLite version 3.26 also provides additional security features for FTS containers, for example:

    support for read-only shadow tables when SQLITE_DBCONFIG_DEFENSIVE option is enabled

    What is the danger of this vulnerability?

    Critical. Allows remote code execution. A memory leak and program crashes are also likely.

    Are there any examples of ready-made exploits to exploit the vulnerability?


    In particular, Tencent Blade Team declares that they have successfully launched an attack on Google Home using this vulnerability (access to the description issue on the Google bug tracker is closed), and as already mentioned above, no exploit code is currently planned to be disclosed.

    Terms of use vulnerability?

    Vulnerability can be performed remotely, for example, when a certain web page is called in the browser, or in any similar scenario, for example, allowing to execute SQL statements (if the FTS is not disabled, when a possible attack vector and / or the presence or occurrence of some other factors contributing to the exploitation is detected) vulnerabilities).

    By the way, this is not the first error of the type overflow & buffer overrun in SQLite specifically and in the FTS module in particular (for example [56be976859294027] ), but it is probably the largest of its kind in terms of significance, theoretical impact and relative “scale” in the ways of possible use and assessment of of this.

    Also popular now: