Cov kws tshawb fawb los ntawm Check Point
Rau kev ua tiav kev tawm tsam, nws yog ib qho tsim nyog yuav tsum tau hloov kho cov ntaub ntawv database ntawm cov ntawv thov tawm tsam, uas txwv txoj kev tawm tsam ntawm cov ntawv thov uas siv SQLite database ua ib hom kev thauj mus los thiab cov ntaub ntawv nkag. Cov txheej txheem kuj tseem tuaj yeem siv los nthuav dav cov kev nkag hauv zos uas twb muaj lawm, piv txwv li, txhawm rau muab cov zais zais rov qab rau hauv cov ntawv thov siv, nrog rau kev hla kev ruaj ntseg mechanisms thaum txheeb xyuas malware los ntawm cov kws tshawb fawb kev ruaj ntseg. Kev ua haujlwm tom qab hloov cov ntaub ntawv tau ua tiav thaum lub sijhawm daim ntawv thov ua thawj SELECT cov lus nug tiv thaiv ib lub rooj hauv cov ntaub ntawv hloov kho.
Ua piv txwv, peb tau pom lub peev xwm los khiav cov cai hauv iOS no thaum qhib phau ntawv chaw nyob, cov ntaub ntawv nrog "AddressBook.sqlitedb" database tau hloov kho siv txoj kev npaj. Qhov kev tawm tsam tau siv qhov tsis zoo hauv fts3_tokenizer muaj nuj nqi (CVE-2019-8602, pointer dereference peev xwm), kho nyob rau lub Plaub Hlis SQLite 2.28 hloov tshiab, nrog rau lwm qhov.
Txoj kev tawm tsam yog ua raws li kev siv ob txoj kev "Query Hijacking" thiab "Query Oriented Programming", uas tso cai rau kev siv cov teeb meem tsis ncaj ncees uas ua rau kev nco kev ua tsis ncaj rau hauv lub cav SQLite. Lub ntsiab lus ntawm "Query Hijacking" yog los hloov cov ntsiab lus ntawm "sql" teb hauv sqlite_master cov lus pabcuam, uas txiav txim siab cov qauv ntawm cov ntaub ntawv. Cov teb uas tau teev tseg muaj DDL (Cov Lus Txhais Lus) thaiv siv los piav qhia cov qauv ntawm cov khoom hauv cov ntaub ntawv. Cov lus piav qhia tau teev tseg siv tus qauv SQL syntax, i.e. siv "CREATE TABLE" kev tsim kho,
uas yog raug tua thaum lub sij hawm lub database pib txheej txheem (thaum lub sij hawm thawj tso tawm
sqlite3LocateTable ua haujlwm los tsim cov rooj sib tham nrog cov qauv hauv lub cim xeeb.
Lub tswv yim yog tias, los ntawm kev hloov "CREATE TABLE" nrog "CREATE VIEW", nws tuaj yeem tswj tau txhua qhov kev nkag mus rau hauv cov ntaub ntawv los ntawm kev txhais koj tus kheej saib. Siv "CREATE VIEW" kev ua haujlwm "SELECT" yog khi rau lub rooj, uas yuav raug hu ua "CREATE TABLE" thiab tso cai rau koj nkag mus rau qhov sib txawv ntawm tus neeg txhais lus SQLite. Tom ntej no, txoj kev yooj yim tshaj plaws ntawm kev tawm tsam yuav yog hu rau "load_extension" muaj nuj nqi, uas tso cai rau koj los thauj cov tsev qiv ntawv tsis txaus ntseeg nrog kev txuas ntxiv, tab sis qhov haujlwm no raug cuam tshuam los ntawm lub neej ntawd.
Txhawm rau ua kom muaj kev tawm tsam thaum nws muaj peev xwm ua tau "SELECT" kev ua haujlwm, "Query Oriented Programming" cov txheej txheem tau npaj tseg, uas ua rau nws muaj peev xwm siv tau cov teeb meem hauv SQLite uas ua rau kev nco tsis zoo. Cov txheej txheem yog reminiscent ntawm rov qab-oriented programming (
Tau qhov twg los: opennet.ru