Many Birds One Stone: Exploiting a Single SQLite Vulnerability Across Multiple Software

Black Hat USA 2017

Presented by: Siji Feng, Kun Yang, Zhi Zhou
Date: Wednesday July 26, 2017
Time: 11:15 - 12:05
Location: Mandalay Bay AB

SQLite is widely used as embedded database software for local/client storage in application software, such as web browsers and mobile applications. As a relational database, SQLite is vulnerable to SQL injection attack, which has been well-studied for a long time. Memory corruption bugs in SQLite are usually not considered security issues, since they are normally unlikely to be exploitable. In this talk, we will study several remotely exploitable memory corruption cases to show the dangerous attack surface in SQLite.

The journey of SQLite exploitation starts with Web SQL. Web SQL Database is a web page API for storing data in databases that can be queried using SQL language. Although W3C working group has ceased working on the specification since 2010, many modern browsers including Google Chrome, Apple Safari and Opera have an implementation based on SQLite as the backend for years. We will go through several previous issues of SQLite and discuss how they affect the browsers and how they have been fixed. Also, we will present new vulnerabilities in SQLite that we used to compromise Apple Safari in Pwn2Own 2017. The new bugs exist in all browsers that support Web SQL Database, including browser components Android WebView and iOS UIWebView widely used in mobile applications. We will demonstrate our exploit against multiple browser targets from multiple platforms to show the impact of a single SQLite vulnerability.

Many programming languages have a support of SQLite API bindings such as PHP, Lua and Java. Memory corruption bugs of SQLite may also affect security features of these programming languages. We will show SQLite exploitation in PHP SQLite extension to bypass PHP security restrictions, as an example.

Siji Feng

Siji Feng(a.k.a. Slipper) is a senior security researcher at Chaitin Tech(@ChaitinTech). He was the leader of CTF team 0ops.

Zhi Zhou

Zhi Zhou is a senior security researcher at Chaitin Tech(@ChaitinTech). His research interests include vulnerability discovery, mobile app security and binary exploitation.

Kun Yang

Kun Yang is Chief Security Researcher at Chaitin Tech(@ChaitinTech). He is leading Chaitin Security Research Lab, who pwned Safari, Firefox, macOS and Ubuntu in Pwn2Own 2017. His research interests include vulnerability discovery and binary exploitation. He also plays CTFs as a member of blue-lotus and b1o0p, and has won the second place in DEFCON CTF 2016.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats