The security expert Andreas Kellas detailed a high-severity vulnerability, tracked as CVE-2022-35737 (CVSS score: 7.5), in the SQLite database library, which was introduced in October 2000.
“SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.” reads the advisory.
An attacker can trigger the issue to execute arbitrary code on the affected system.
“CVE-2022-35737 is exploitable on 64-bit systems, and exploitability depends on how the program is compiled; arbitrary code execution is confirmed when the library is compiled without stack canaries, but unconfirmed when stack canaries are present, and denial-of-service is confirmed in all cases.” Kellas wrote.
The expert explained that in order to exploit the CVE-2022-35737 flaw, attackers have to pass large string inputs to the SQLite implementations of the printf functions and the format string contains the %Q, %q, or %w format substitution types.
The vulnerability ties the way a function, named “sqlite3_str_vappendf,” called by printf handles the string formatting.
A signed integer overflow is triggered when the sqlite3_str_vappendf function receives a large string and when the format substitution type is %q, %Q, or %w.
The researchers also discovered that if the format string contains the
! special character to enable unicode character scanning, then it is possible to achieve arbitrary code execution in the worst case, or to cause a DoS condition.
“it’s a bug that may not have seemed like an error at the time that it was written (dating back to 2000 in the SQLite source code) when systems were primarily 32-bit architectu” Kellas concluded.
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, SQLite)