Masu bincike daga Check Point a taron DEF CON, cikakkun bayanai na sabuwar dabara don kai hari kan aikace-aikacen ta amfani da sigar SQLite masu rauni. Hanyar Check Point tana ɗaukar fayilolin bayanai azaman dama don haɗa al'amuran don cin gajiyar rauni a cikin wasu ƙananan tsarin SQLite na ciki waɗanda ba a iya amfani da su kai tsaye. Masu bincike sun kuma shirya wata dabara don yin amfani da rashin lahani ta hanyar ɓoye abubuwan da aka yi amfani da su ta hanyar jerin jerin tambayoyin SELECT a cikin bayanan SQLite, wanda ke ba ku damar ketare ASLR.
Don samun nasarar harin, ya zama dole a sami damar canza fayilolin bayanai na aikace-aikacen da aka kai hari, wanda ke iyakance hanyar kai hari kan aikace-aikacen da ke amfani da bayanan SQLite a matsayin tsarin wucewa da bayanan shigar da su. Hakanan za'a iya amfani da hanyar don faɗaɗa shiga cikin gida da ake da su, alal misali, don haɗa ɓoyayyun ƙofofin baya cikin aikace-aikacen da aka yi amfani da su, da kuma ketare hanyoyin tsaro lokacin nazarin malware ta masu binciken tsaro. Ana aiwatar da aiki bayan sauya fayil a lokacin da aikace-aikacen ya aiwatar da tambayar SELECT ta farko akan tebur a cikin bayanan da aka gyara.
A matsayin misali, mun nuna ikon gudanar da lamba a cikin iOS lokacin buɗe littafin adireshi, an gyara fayil ɗin tare da bayanan "AddressBook.sqlitedb" ta amfani da hanyar da aka tsara. Harin ya yi amfani da rauni a cikin aikin fts3_tokenizer (CVE-2019-8602, iyawar ma'ana), wanda aka gyara a cikin sabuntawar SQLite 2.28 na Afrilu, tare da wani a cikin aiwatar da ayyukan taga. Bugu da ƙari, an nuna amfani da hanyar da za a kwace ikon uwar garken baya na maharin da aka rubuta a cikin PHP, wanda ke tara kalmomin shiga da aka kama yayin aiki na lambar ɓarna (an ba da kalmomin sirrin da aka kama a cikin hanyar SQLite database), an nuna.
Hanyar kai harin ta dogara ne akan amfani da dabaru guda biyu "Query Hijacking" da "Query Oriented Programming", wanda ke ba da damar yin amfani da matsalolin sabani da ke haifar da lalata ƙwaƙwalwar ajiya a cikin injin SQLite. Mahimmancin "Query Hijacking" shine maye gurbin abubuwan da ke cikin filin "sql" a cikin teburin sabis na sqlite_master, wanda ke ƙayyade tsarin bayanan. Ƙayyadadden filin yana ƙunshe da toshe DDL (Data Definition Language) da ake amfani da shi don bayyana tsarin abubuwa a cikin bayanan. An kayyade bayanin ta amfani da daidaitaccen tsarin SQL, watau. ana amfani da ginin "CREATE TABLE",
wanda ake aiwatarwa a lokacin aiwatar da ƙaddamar da bayanai (a lokacin ƙaddamarwar farko
sqlite3LocateTable ayyuka don ƙirƙirar tsarin ciki mai alaƙa da tebur a cikin ƙwaƙwalwar ajiya.
Manufar ita ce, sakamakon maye gurbin "CREATE TABLE" tare da "CREATE VIEW", yana yiwuwa a sarrafa duk wani damar shiga bayanan ta hanyar ayyana ra'ayin ku. Yin amfani da "CREATE VIEW" aikin "SELECT" yana daure a kan tebur, wanda za a kira shi maimakon "CREATE TABLE" kuma yana ba ku damar shiga sassa daban-daban na fassarar SQLite. Na gaba, hanya mafi sauƙi na harin ita ce kiran aikin "load_extension", wanda ke ba ku damar ɗora ɗakin ɗakin karatu na sabani tare da tsawo, amma wannan aikin ya ƙare ta tsohuwa.
Don kai hari lokacin da zai yiwu a aiwatar da aikin "SELECT", ana ba da shawarar dabarar "Query Oriented Programming", wanda ke ba da damar yin amfani da matsaloli a cikin SQLite waɗanda ke haifar da ɓarnawar ƙwaƙwalwar ajiya. Dabarar tana tunawa da shirye-shiryen da suka dace da dawowa (, Komawa-daidaitacce Shirye-shiryen), amma baya amfani da snippets na lambar injin don gina jerin kira ("na'urori"), amma sakawa a cikin jerin abubuwan da ke cikin SELECT.
source: budenet.ru