Masu bincike daga Check Point
Don samun nasarar harin, ya zama dole a sami damar canza fayilolin bayanai na aikace-aikacen da aka kai hari, wanda ke iyakance hanyar kai hari kan aikace-aikacen da ke amfani da bayanan SQLite a matsayin tsarin wucewa da bayanan shigar da su. Hakanan za'a iya amfani da hanyar don faɗaɗa shiga cikin gida da ake da su, alal misali, don haɗa ɓoyayyun ƙofofin baya cikin aikace-aikacen da aka yi amfani da su, da kuma ketare hanyoyin tsaro lokacin nazarin malware ta masu binciken tsaro. Ana aiwatar da aiki bayan sauya fayil a lokacin da aikace-aikacen ya aiwatar da tambayar SELECT ta farko akan tebur a cikin bayanan da aka gyara.
A matsayin misali, mun nuna ikon gudanar da lamba a cikin iOS lokacin buɗe littafin adireshi, an gyara fayil ɗin tare da bayanan "AddressBook.sqlitedb" ta amfani da hanyar da aka tsara. Harin ya yi amfani da rauni a cikin aikin fts3_tokenizer (CVE-2019-8602, iyawar ma'ana), wanda aka gyara a cikin sabuntawar SQLite 2.28 na Afrilu, tare da wani
Hanyar kai harin ta dogara ne akan amfani da dabaru guda biyu "Query Hijacking" da "Query Oriented Programming", wanda ke ba da damar yin amfani da matsalolin sabani da ke haifar da lalata ƙwaƙwalwar ajiya a cikin injin SQLite. Mahimmancin "Query Hijacking" shine maye gurbin abubuwan da ke cikin filin "sql" a cikin teburin sabis na sqlite_master, wanda ke ƙayyade tsarin bayanan. Ƙayyadadden filin yana ƙunshe da toshe DDL (Data Definition Language) da ake amfani da shi don bayyana tsarin abubuwa a cikin bayanan. An kayyade bayanin ta amfani da daidaitaccen tsarin SQL, watau. ana amfani da ginin "CREATE TABLE",
wanda ake aiwatarwa a lokacin aiwatar da ƙaddamar da bayanai (a lokacin ƙaddamarwar farko
sqlite3LocateTable ayyuka don ƙirƙirar tsarin ciki mai alaƙa da tebur a cikin ƙwaƙwalwar ajiya.
Manufar ita ce, sakamakon maye gurbin "CREATE TABLE" tare da "CREATE VIEW", yana yiwuwa a sarrafa duk wani damar shiga bayanan ta hanyar ayyana ra'ayin ku. Yin amfani da "CREATE VIEW" aikin "SELECT" yana daure a kan tebur, wanda za a kira shi maimakon "CREATE TABLE" kuma yana ba ku damar shiga sassa daban-daban na fassarar SQLite. Na gaba, hanya mafi sauƙi na harin ita ce kiran aikin "load_extension", wanda ke ba ku damar ɗora ɗakin ɗakin karatu na sabani tare da tsawo, amma wannan aikin ya ƙare ta tsohuwa.
Don kai hari lokacin da zai yiwu a aiwatar da aikin "SELECT", ana ba da shawarar dabarar "Query Oriented Programming", wanda ke ba da damar yin amfani da matsaloli a cikin SQLite waɗanda ke haifar da ɓarnawar ƙwaƙwalwar ajiya. Dabarar tana tunawa da shirye-shiryen da suka dace da dawowa (
source: budenet.ru