[sqlite] Authorizer bypass "vulnerability"

Matthias-Christian Ott Thu, 13 Apr 2017 05:15:09 -0700

I'm unsure what the threat and security model of SQLite's authorizer
callback is. I think it would only be an effective authorization
mechanism if the attacker was able to only execute SQL statements on a
database and the database was otherwise not accessible to the attacker.
So I'm not sure whether the following behaviour should be seen as a
vulnerability. Nonetheless, I wanted to point out SQLite's behaviour and
document it.


One of the parameters of the authorizer is the name of the database of
the operation that is to be authorized. The documentation gives you the
impression that "main" and "temp" are two reserved database names and
cannot be changed. However, the name of the main database can be changed
by sqlite3_db_config. So if the name of the main database is relevant to
the authorizer, it must be impossible to change it through
sqlite3_db_config (in the context of the application). The following
code demonstrates the "problem":

#include <assert.h>
#include <stddef.h>
#include <string.h>
#include <sqlite3.h>

int auth(void *p, int op, const char *name1, const char *name2,
       const char *dbname, const char *caller)
{
    return dbname != NULL && strcmp(dbname, "main") == 0 ?
        SQLITE_DENY : SQLITE_OK;
}

int main()
{
    int rc;
    sqlite3 *db;

    rc = sqlite3_open(":memory:", &db);
    assert(rc == SQLITE_OK);
    rc = sqlite3_exec(db, "CREATE TABLE t (i)", NULL, NULL, NULL);
    assert(rc == SQLITE_OK);
    rc = sqlite3_set_authorizer(db, &auth, NULL);
    assert(rc == SQLITE_OK);
    rc = sqlite3_exec(db, "SELECT * FROM t", NULL, NULL, NULL);
    assert(rc == SQLITE_AUTH);
    rc = sqlite3_db_config(db, SQLITE_DBCONFIG_MAINDBNAME, "main2");
    assert(rc == SQLITE_OK);
    rc = sqlite3_exec(db, "SELECT * FROM t", NULL, NULL, NULL);
    assert(rc == SQLITE_OK);
    rc = sqlite3_close(db);
    assert(rc == SQLITE_OK);

    return 0;
}

It seems it is not possible to call sqlite3_db_config from SQL, so the
attacker would need to have access to the address space of the database
connection and the database file to bypass the authorizer.

Perhaps it makes sense to either always pass "main" as the database name
of the main database to the authorizer or to introduce an additional
function that allows to retrieve the main database name, for example
sqlite3_db_config_get.

- Matthias-Christian
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Authorizer bypass "vulnerability"

Reply via email to