[sqlite] Format string vulnerability in SQLite

Tue, 10 Jul 2012 05:02:43 -0700 

Dear sirs,

We have detected a vulnerabilities in SQLite for OS/2. Vulnerability details 
can be found in the attachment.
Our disclosure policy is available here: 
http://en.securitylab.ru/lab/disclosure-policy.php


--
Yury Maryshev
Security Engineer
Positive Technologies
Tel: +007 (495) 744-0144
[email protected]<mailto:[email protected]>
www.ptsecurity.com<http://www.ptsecurity.com/>
en.securitylab.ru<http://www.securitylab.ru/>


(PT-2012-22) Positive Technologies Security Advisory 
        Format string vulnerability in SQLite

--[ Vulnerable software ]

SQLite for OS/2 (eComStation)
Version: 3.x and earlier

Application link:
http://sqlite.org/

--[ Severity level ]

Severity level: Medium 
Impact:         Arbitrary Code Execution 
Access Vector:  Network exploitable


CVSS v2: 
Base Score: 6.6 
Vector: (AV:N/AC:H/Au:N/C:C/I:P/A:P)

CVE: not assign

--[ Software Description ]

SQLite is a lightweight embedded relational database.

--[ Vulnerability Description  ]
 
While opening a file via SQLite on the OS/2 operating system (eComStation), the 
path, to be converted from a relative one to an absolute one, is handled by the 
os2FullPathname function. As part of the function’s execution process, the path 
gets into the sqlite3_snprintf function as a format string, and not as an 
argument for a format string. This allows attackers to use escape sequences in 
the format string.

The vulnerability is in the file /sqlite3.c.

Vulnerable code fragment:

static int os2FullPathname(
...
  const char *zRelative,      /* Possibly relative input path */
...
  char *zFull                 /* Output buffer */
){
  char *zRelativeCp = convertUtf8PathToCp( zRelative );
...
  APIRET rc = DosQueryPathInfo( (PSZ)zRelativeCp, FIL_QUERYFULLNAME, 
                                zFullCp, CCHMAXPATH );
  free( zRelativeCp );
  zFullUTF = convertCpPathToUtf8( zFullCp );
  sqlite3_snprintf( nFull, zFull, zFullUTF );
...

Exploitation Exapmle

Opening the database named "%s%s%s%s%s%s%s" will trigger SQLite failure.

--[ Solution ]

The issue can be solved by changing one sting in the vulnerable code fragment.
Original string:
sqlite3_snprintf( nFull, zFull, zFullUTF );
Target string:
sqlite3_snprintf( nFull, zFull, "%s", zFullUTF );

--[ Credits ]

The vulnerability was discovered by Sergey Bobrov, Positive Research Center 
(Positive Technologies Company)

_______________________________________________
sqlite-users mailing list
[email protected]
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to