On Aug 12, 2019, at 1:14 PM, Keith Medcalf <kmedc...@dessus.com> wrote: > The only interesting thing is CVE-2015-7036, but I don't know if that was so > much an SQLite3 issue, as it was an issue in the use of the tokenizer by > Apple. In either case, Apple fixed their bugs and SQLite3 was hardened > against some inappropriate (unintended by the application developer) uses of > the fts3_tokenizer() function.
Generally speaking, the issue was the availability of a built-in function accessible from the query language that took a function pointer as a parameter. Specifically, the vector was that an attacker with the ability to execute arbitrary SQL could cause execution to jump to the address of their choosing via the second parameter to fts3_tokenizer. Using established ROP techniques this could be used to gain control of the process. The attack is even more interesting when combined with Check Point Research's recent publication (search for "SELECT code_execution FROM * USING SQLite;"), which explains how to gain control of a process from a database file by replacing all of its tables with views containing malicious queries. Scott _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users