STE WILLIAMS

Cisco Talos researchers have uncovered a SQLite use-after-free vulnerability that could allow an attacker to remotely execute code on an affected device.

“An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0,” said Talos in a blog post describing the vuln, provisionally allocated CVE-2019-5018.

An open-source project, SQLite’s maintainers describe it as “the most used database engine in the world”.

SQLite implements SQL’s Window Functions, and Talos researcher Cory Duplantis found that the way SQLite handles the functions includes reusing a deleted partition.

As he noted: “After this partition is deleted, it is then reused in exprListAppendList, causing a use after free vulnerability, resulting in a denial of service. If an attacker can control this memory after the free, there is an opportunity to corrupt more data, potentially leading to code execution.”

Talos published a walkthrough, complete with examples of code highlighting precisely what the vuln is and how it exists. The fix is easy: update to SQLite version 3.28, available on the SQLite website.

Late last year, Tencent researchers spotted an SQLite vuln that could have been abused to inject malware into vulnerable systems, as we reported at the time. That one relied on memory corruption to create the conditions for arbitrary code execution, though the key vector was ordinary users being granted the privs to execute SQL commands.

Less recently, SQLite creator Dwayne Richard Hipp talked to El Reg about the project’s unabashedly Christian code of conduct. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/10/sqlite_rce_vuln/