SQLite Vulnerability May Be Putting Your Applications at Risk
Discovered first by Tencent’s security researchers (belonging to the Blade Team) in 2018, SQLite Vulnerability is continuing to expose millions of applications, software, IoT devices, and so on to the heightened risk of SQLite Injection Attacks. Despite being a medium impact vulnerability, SQLite vulnerability is a serious security flaw. Let us delve further into this vulnerability.
SQLite Vulnerability: An Introduction
What is SQLite?
SQLite is an open-source, zero-configuration, self-contained and full-featured relational database management system contained in a C programming library. It is an embedded SQL database engine and there is no client-server relationship. It is linked with the application dynamically or statically as per requirement. Unlike other SQL databases, it is serverless and does not require separate server processes.
How do SQLite Injection Attacks Work?
The underlying idea behind SQLite Injections is to gain access to confidential information from the database and perform vulnerable actions such as updating, modifying or deleting records, adding new records and so on.
Typically, for SQLite Injection Attacks to be successful, one of these preconditions is necessary:
- The application has an SQLi vulnerability or runs an outdated version of SQLite.
- The application must allow un-sanitized and unvalidated user inputs.
- The application must allow attackers to submit maliciously-crafted database files that the application will open and query.
Say you have a registration page in your website where the user must enter their username. What if the user enters an SQLite statement instead of their name? The query will go straight to the database and fetch the data requested in the query statement. This is how most SQLite injection attacks take place.
Let’s take another example. Your application allows third-party applications to read data from SQLite databases or submit maliciously crafted database files. Using this flaw, the attacker can store malicious code on the database, provided they have the relevant filesystem access permissions. When data is accessed from the database by the application, malicious code gets executed.
Chromium-based browsers such as Google Chrome, Brave, Vivaldi, etc., implement the Web SQL feature of JavaScript. This enables attackers to create web pages that send SQL commands to an application’s embedded SQLite code. Using this SQLite vulnerability, attackers can run arbitrary SQL text. Something as simple as visiting web pages in an SQLite supported browser is sufficient for attackers to exploit the vulnerability and trigger remote code execution. The Web SQL API converts the malicious code into regular SQL syntax.
Why are SQLite Security Vulnerabilities Dangerous?
Newer flaws identified
The Tencent security team first discovered a remote code execution vulnerability in SQLite in 2018. Ever since other SQL security vulnerabilities such as Integer Flow, Use-after-free, NULL pointer deference, Input Validation errors, SELECT query functionality flaw, etc. which enabled attackers to do their bidding.
Researchers consistently keep finding flaws and ways to exploit SQLite engines in different operating systems, software, applications, platforms, programs and devices. It could be a starting point for a whole host of new vulnerabilities.
The impact
SQLite vulnerabilities are leveraged by attackers in a wide range of malicious activities from remote code execution, leaking memory programs and crashing programs to orchestrating DDoS attacks.
Its widespread use heightens the associated risks
Given its compatibility, lightweight nature (with respect to setup complexity, resource usage and administrative overheads) and other advantages, SQLite is commonly used across the computing spectrum including apps, software and IoT devices (including voice assistants, smart TVs, etc).
It is also used in the underlying operating systems where these apps run such as Android, Unix flavors, MacOS and so on. It is also part of Chromium-based browsers such as Google Chrome, Brave, Vivaldi, Opera, etc. As a result, SQLite is embedded in billions of apps, smartphones and devices. Even some versions of Safari and Firefox are known to have this vulnerability.
Given how widely it is used, the possibility that your application is at risk is high. Your application could be at risk even if a third-party application you use has SQLite security vulnerabilities.
An enormous attack surface
Since these are categorized as medium impact vulnerabilities, developers/ vendors may live with a false sense of security and may not fix the vulnerability. This could end up creating a wide attack surface which attackers may leverage in the future to orchestrate chained attacks of the unpatched systems.
The application may be at risk even after patches are released
Players such as Google and other apps using the SQLite engine have released patches. Updating an embedded database engine to applications could be a dangerous process, resulting in data corruption. So, developers tend to avoid fixing these flaws for long. Libraries and component parts of the applications are rarely updated, which heightens the risk of SQLite vulnerabilities.
Conclusion
Patching SQLite vulnerabilities and sanitizing and validating user inputs are necessary steps to prevent SQLite injections. You must have a managed and intelligent security solution in place to address these vulnerabilities and fortify the security posture of your application.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.