Security researchers from the Chinese company Tencent new variant of the vulnerability (), which allows you to achieve code execution when processing SQLite structures in a certain way. A similar vulnerability was by the same researchers a year ago. The vulnerability is noteworthy in that it allows remote attacks on the Chrome browser and gaining control over the user's system when opening web pages controlled by the attacker.
The attack on Chrome/Chromium is carried out through the WebSQL API, the handler of which is based on the SQLite code. An attack on other applications is possible only if they allow the transfer of SQL constructs coming from outside to SQLite, for example, they use SQLite as a format for data exchange. Firefox is not vulnerable because Mozilla from WebSQL's implementation IndexedDB API.
Google fixed the issue in the release . In the SQLite codebase, the problem was November 17, and in the Chromium codebase - .
The problem is in FTS3 full-text search engine and through the manipulation of shadow tables (shadow tables, a special kind of writable virtual tables) can lead to index corruption and buffer overflows. Detailed information about the operation technique will be published in 90 days.
New release of SQLite with fix yet ( 31th of December). As a security workaround, starting with SQLite 3.26.0, the SQLITE_DBCONFIG_DEFENSIVE mode can be used, which prohibits writing to shadow tables and is recommended to be enabled when processing external SQL queries in SQLite. In distributions, the vulnerability in the SQLite library remains unpatched in , , , , , , . Chromium in all distributions is already up to date and is not affected by the vulnerability, but the issue may affect various third-party browsers and applications that use the Chromium engine, as well as Webview-based Android applications.
Additionally, 4 less dangerous problems have also been identified in SQLite (, , , ), which can lead to information leakage and circumvention of restrictions (can be used as contributory factors to attack Chrome). These issues were fixed in the SQLite code on December 13th. Together, the problems allowed the researchers to prepare a working exploit that allows code to be executed in the context of the Chromium process responsible for rendering.
Source: opennet.ru