Vatsvagiri kubva kuCheck Point pamusangano weDEF CON, ruzivo rwehunyanzvi hutsva hwekurwisa maapplication uchishandisa vhezheni dzisina njodzi dzeSQLite. Iyo Check Point nzira inoona mafaera edatabase semukana wekubatanidza mamiriro ekushandisa kusagadzikana mune akasiyana emukati maSQLite subsystems asingashandisi zvakananga. Vatsvagiri vakagadzirirawo hunyanzvi hwekushandisa kusasimba nekuisa kodhi kubiridzira nenzira yeketani ye SELECT mibvunzo muSQLite dhatabhesi, iyo inokutendera kuti upfuure ASLR.
Kuti ubudirire kurwiswa, zvinodikanwa kuti ugone kugadzirisa dhatabhesi mafaera eakarwiswa maapplication, ayo anoganhura nzira yekurwisa maapplication anoshandisa SQLite dhatabhesi sefomati yekufambisa uye yekuisa data. Iyo nzira inogonawo kushandiswa kuwedzera kuwanikwa kwenzvimbo iripo, semuenzaniso, kubatanidza yakavanzika backdoors mumashandisirwo akashandiswa, pamwe nekunzvenga nzira dzekuchengetedza paunenge uchiongorora malware nevanochengetedza vaongorori. Kushanda mushure mekutsiva faira kunoitwa panguva iyo application ichiita yekutanga SARA mubvunzo uchipokana netafura mune yakagadziridzwa dhatabhesi.
Semuenzaniso, takaratidza kukwanisa kushandisa kodhi muIOS pakuvhura bhuku rekero, faira ine "AddressBook.sqlitedb" database yakagadziridzwa uchishandisa nzira yakarongwa. Kurwiswa uku kwakashandisa kusagadzikana mune fts3_tokenizer basa (CVE-2019-8602, pointer dereference kugona), yakagadziriswa muna Kubvumbi SQLite 2.28 update, pamwe neimwe. mukushandiswa kwemabasa ehwindo. Mukuwedzera, kushandiswa kwenzira yekutora kure kure kutonga kweanorwisa backend server yakanyorwa muPHP, iyo inounganidza mapassword akabatwa panguva yekushanda kwekodhi yakaipa (iyo yakabatwa passwords yakafambiswa nenzira yeSQLite dhatabhesi), yakaratidzwa.
Iyo nzira yekurwisa yakavakirwa pakushandiswa kwemaitiro maviri "Query Hijacking" uye "Query Oriented Programming", iyo inobvumira kushandisa zvisina tsarukano zvinetso zvinotungamira kuhuori hwendangariro muSQLite injini. Izvo zvakakosha zve "Query Hijacking" ndeyekutsiva zviri mukati me "sql" ndima mune sqlite_master service tafura, iyo inosarudza chimiro chedhatabhesi. Munda wakataurwa une DDL (Data Definition Mutauro) block inoshandiswa kutsanangura chimiro chezvinhu zviri mudhatabhesi. Tsanangudzo inotsanangurwa uchishandisa yakajairwa SQL syntax, i.e. iyo "CREATE TABLE" kuvaka inoshandiswa,
iyo inoitwa panguva yekutangisa dhatabhesi (panguva yekutanga kuvhurwa
sqlite3LocateTable mabasa ekugadzira zvine chekuita netafura zvimiro zvemukati mundangariro.
Pfungwa ndeyokuti, semugumisiro wekutsiva "CREATE TABLE" ne "CREATE VIEW", zvinova zvinogoneka kudzora chero kuwana kune dhatabhesi nekutsanangura maonero ako. Uchishandisa "CREATE VIEW" basa re "SELECT" rinosungirirwa patafura, iyo ichadanwa pachinzvimbo che "CREATE TABLE" uye inobvumidza iwe kuwana zvikamu zvakasiyana zveSQLite muturikiri. Tevere, nzira iri nyore yekurwisa ingave yekudaidza iyo "load_extension" basa, iro rinokutendera kuti utakure raibhurari yezvipo nekuwedzera, asi basa iri rakavharwa nekusingaperi.
Kuita kurwisa kana zvichikwanisika kuita "SELECT" mashandiro, iyo "Query Oriented Programming" nzira inokurudzirwa, iyo inoita kuti zvibvire kushandisa matambudziko muSQLite anotungamirira kuhuori hwendangariro. Iyo tekinoroji inoyeuchidza yekudzoka-yakatarisana programming (, Return-Oriented Programming), asi inoshandisa zvisiri zviripo zvemakina kodhi kugadzira ketani yemafoni ("magajeti"), asi inoisa mune seti yezvinyorwa mukati SELECT.
Source: opennet.ru