Government of the Republic of Trinidad and Tobago

Remote Code Execution Vulnerability Impacts SQLite

Remote Code Execution Vulnerability Impacts SQLite

A use-after-free vulnerability in SQLite could be exploited by an attacker to remotely execute code on a vulnerable machine, Cisco Talos security researchers have discovered.

Tracked as CVE-2019-5018 and featuring a CVSS score of 8.1, the vulnerability resides in the window function functionality of Sqlite3 3.26.0 and 3.27.0.

To trigger the flaw, an attacker would need to send a specially crafted SQL command to the victim, which could allow them to execute code remotely.

The popular SQLite library, a client-side database management system, is widely used in mobile devices, browsers, hardware devices, and user applications, Talos notes.

SQLite implements the Window Functions feature of SQL, allowing queries over a subset, or “window,” of rows, and the newly revealed vulnerability was found in the “window” function.

The security researchers discovered that, after the parsing of a SELECT statement that contains a window function, in certain conditions, the expression-list held by the SELECT object is rewritten and the master window object is used during the process.

When processing an aggregate function and after it is appended to the expression list, the expression is deleted. During deletion, if the expression is marked as a Window Function, the associated Window object and partition for the Window are deleted as well.

The deleted partition is reused after the rewrite of the expression list, which causes a use-after-free vulnerability that leads to a denial of service. However, if the attacker could control the memory after the free, they can corrupt more data and potentially execute code.

“Talos tested and confirmed that versions 3.26.0 and 3.27.0 of SQLite are affected by this vulnerability,” the researchers note.

The security researchers, who published proof-of-concept code, reported the vulnerability to the vendor in early February. An update to patch the issue had been released weeks before the advisory was made public.