Ofufuza ochokera ku Check Point pamsonkhano wa DEF CON, tsatanetsatane wa njira yatsopano yowukira mapulogalamu pogwiritsa ntchito ma SQLite osatetezeka. Njira ya Check Point imawona mafayilo a database ngati mwayi wophatikizira zochitika zopezera chiwopsezo m'magawo osiyanasiyana amkati a SQLite omwe sagwiritsidwa ntchito mwachindunji. Ofufuza akonzanso njira yopezera chiwopsezo polemba zomwe zachitikazo ngati mndandanda wamafunso a SELECT mu nkhokwe ya SQLite, yomwe imakupatsani mwayi wodutsa ASLR.
Kuti muwukire bwino, ndikofunikira kuti muthe kusintha mafayilo amtundu wa mapulogalamu omwe akuwukiridwa, zomwe zimalepheretsa njira yowukira mapulogalamu omwe amagwiritsa ntchito nkhokwe ya SQLite ngati njira yolowera ndikulowetsa. Njirayi ingagwiritsidwenso ntchito kukulitsa mwayi wopezeka m'deralo, mwachitsanzo, kuphatikiza zitseko zobisika m'mapulogalamu ogwiritsidwa ntchito, komanso kudutsa njira zachitetezo posanthula pulogalamu yaumbanda ndi ofufuza achitetezo. Kugwira ntchito pambuyo pakusintha mafayilo kumachitika panthawi yomwe pulogalamuyo ikupereka funso loyamba la SELECT patebulo lomwe lili mumndandanda wosinthidwa.
Mwachitsanzo, tidawonetsa kuthekera koyendetsa kachidindo mu iOS potsegula bukhu la adilesi, fayilo yokhala ndi "AddressBook.sqlitedb" database idasinthidwa pogwiritsa ntchito njira yomwe yaperekedwa. Kuwukiraku kudagwiritsa ntchito chiwopsezo mu ntchito ya fts3_tokenizer (CVE-2019-8602, pointer dereference capability), yokhazikitsidwa mu Epulo SQLite 2.28 pomwe, pamodzi ndi ina. mu kukhazikitsa ntchito mawindo. Kuphatikiza apo, kugwiritsa ntchito njira yolanda patali kuwongolera kwa seva ya backend yolembedwa mu PHP, yomwe imasonkhanitsa mapasiwedi omwe amalandidwa panthawi yogwiritsa ntchito ma code oyipa (ma passwords omwe adalandidwa adatumizidwa mu mawonekedwe a database ya SQLite), adawonetsedwa.
Njira yowukirayi imachokera pakugwiritsa ntchito njira ziwiri "Query Hijacking" ndi "Query Oriented Programming", zomwe zimalola kugwiritsa ntchito mavuto osasunthika omwe amatsogolera kuwonongeka kwa kukumbukira mu injini ya SQLite. Chofunikira cha "Query Hijacking" ndikulowetsa zomwe zili mugawo la "sql" pa tebulo lautumiki la sqlite_master, lomwe limatsimikizira kapangidwe ka nkhokwe. Munda wotchulidwawu uli ndi chipika cha DDL (Data Definition Language) chomwe chimagwiritsidwa ntchito pofotokoza momwe zinthu zilili mu database. Kufotokozera kumatchulidwa pogwiritsa ntchito syntax ya SQL, mwachitsanzo. kupanga "CREATE TABLE" kumagwiritsidwa ntchito,
zomwe zimachitidwa panthawi yoyambitsa nkhokwe (panthawi yotsegulira koyamba
sqlite3LocateTable imagwira ntchito kuti ipange zida zamkati zokhudzana ndi tebulo mu kukumbukira.
Lingaliro ndiloti, chifukwa chosintha "CREATE TABLE" ndi "CREATE VIEW", zimakhala zotheka kulamulira mwayi uliwonse wa database pofotokozera malingaliro anu. Pogwiritsa ntchito "CREATE VIEW" ntchito ya "SELECT" imangidwira patebulo, yomwe idzatchedwa "CREATE TABLE" ndipo imakulolani kuti mupeze mbali zosiyanasiyana za womasulira wa SQLite. Chotsatira, njira yosavuta yowukira ingakhale kuyitana ntchito ya "load_extension", yomwe imakulolani kuti muyike laibulale yosasinthika ndi yowonjezera, koma ntchitoyi imayimitsidwa mwachisawawa.
Kuti muwononge ngati kuli kotheka kuchita ntchito ya "SELECT", njira ya "Query Oriented Programming" imaperekedwa, zomwe zimapangitsa kuti zitheke kugwiritsa ntchito mavuto mu SQLite omwe amachititsa kuwonongeka kwa kukumbukira. Njirayi imakumbutsanso mapulogalamu obwereranso (, Return-Oriented Programming), koma amagwiritsa ntchito mawu ochepa a makina a code kuti apange mafoni ambiri ("zida zamakono"), koma amaika mumagulu ang'onoang'ono mkati mwa SELECT.
Source: opennet.ru