Researchers have uncovered some potentially serious SQLite vulnerabilities and they have demonstrated their findings by hacking an iPhone and a command and control (C&C) server used by malware.
SQLite is a small, fast and full-featured database management system contained in a C library. SQLite is widely used and it can be found by default in many mobile and desktop operating systems, including Windows 10, macOS, iOS, Android, BlackBerry 10 OS, Oracle Solaris 10, FreeBSD, and LG webOS. It’s also used by popular web browsers such as Chrome, Firefox and Safari.
Researchers at cybersecurity firm Check Point started investigating SQLite after noticing that some pieces of malware steal passwords from compromised machines by collecting the SQLite database files used by the targeted apps to store passwords. The database files are uploaded to the C&C server and parsed using PHP so that their content can be transferred to a central database where the attackers store all collected passwords.
Check Point’s investigation revealed the existence of several vulnerabilities that allow an attacker to execute arbitrary code by getting an application using SQLite to query a specially crafted database.
They demonstrated their findings by creating a SQLite file that, when stolen by a password stealer and uploaded to the C&C server and processed, would create a web shell on the attacker’s server.
They also demonstrated an attack against iOS, which uses an SQLite database to store contacts in the device’s address book. An attacker who has access to the targeted iPhone can replace the legitimate database file with a malicious version and the process querying the database — the contacts database is shared by FaceTime, Contacts, WhatsApp, Telegram and other apps — would execute the code planted by the attacker in the database.
Apple patched the vulnerabilities — they are tracked as CVE-2019-8600, CVE-2019-8598, CVE-2019-8602 and CVE-2019-8577 — in May with the release of iOS 12.3. Apple’s advisory shows that the flaws can be exploited for privilege escalation, code execution, and to gain access to restricted memory.
Check Point told SecurityWeek that it also tested the vulnerabilities against Windows 10, PHP, and macOS. Microsoft, Apple and SQLite developers have been notified, and SQLite developers have released an update to address the underlying issues.
“It would be impossible to chase every vendor using SQLite as it is used in countless situations. Other than the vulnerabilities themselves, it is important for us that the security community would be aware to the exploitation techniques we developed and their implication,” Check Point said via email.
Check Point has published a blog post with the technical details and a video showing an exploit in action.