Connect with us

Hi, what are you looking for?



SQLite Vulnerabilities Demoed With Hacking of iPhone, Malware C&C

Researchers have uncovered some potentially serious SQLite vulnerabilities and they have demonstrated their findings by hacking an iPhone and a command and control (C&C) server used by malware.

Researchers have uncovered some potentially serious SQLite vulnerabilities and they have demonstrated their findings by hacking an iPhone and a command and control (C&C) server used by malware.

SQLite is a small, fast and full-featured database management system contained in a C library. SQLite is widely used and it can be found by default in many mobile and desktop operating systems, including Windows 10, macOS, iOS, Android, BlackBerry 10 OS, Oracle Solaris 10, FreeBSD, and LG webOS. It’s also used by popular web browsers such as Chrome, Firefox and Safari.

Researchers at cybersecurity firm Check Point started investigating SQLite after noticing that some pieces of malware steal passwords from compromised machines by collecting the SQLite database files used by the targeted apps to store passwords. The database files are uploaded to the C&C server and parsed using PHP so that their content can be transferred to a central database where the attackers store all collected passwords.

Check Point’s investigation revealed the existence of several vulnerabilities that allow an attacker to execute arbitrary code by getting an application using SQLite to query a specially crafted database.

They demonstrated their findings by creating a SQLite file that, when stolen by a password stealer and uploaded to the C&C server and processed, would create a web shell on the attacker’s server.

They also demonstrated an attack against iOS, which uses an SQLite database to store contacts in the device’s address book. An attacker who has access to the targeted iPhone can replace the legitimate database file with a malicious version and the process querying the database — the contacts database is shared by FaceTime, Contacts, WhatsApp, Telegram and other apps — would execute the code planted by the attacker in the database.

Apple patched the vulnerabilities — they are tracked as CVE-2019-8600, CVE-2019-8598, CVE-2019-8602 and CVE-2019-8577 — in May with the release of iOS 12.3. Apple’s advisory shows that the flaws can be exploited for privilege escalation, code execution, and to gain access to restricted memory.

Advertisement. Scroll to continue reading.

Check Point told SecurityWeek that it also tested the vulnerabilities against Windows 10, PHP, and macOS. Microsoft, Apple and SQLite developers have been notified, and SQLite developers have released an update to address the underlying issues.

“It would be impossible to chase every vendor using SQLite as it is used in countless situations. Other than the vulnerabilities themselves, it is important for us that the security community would be aware to the exploitation techniques we developed and their implication,” Check Point said via email.

Check Point has published a blog post with the technical details and a video showing an exploit in action.

Related: Apple Patches SQLite, WebKit Bugs in iTunes and iCloud for Windows

Related: Remote Code Execution Vulnerability Impacts SQLite

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.