Cisco Talos experts discovered an use-after-free() flaw in
SQLite that could be exploited by an attacker to remotely execute code on an affected device. An attacker can trigger the flaw by sending a malicious SQL command to the vulnerable installs.
“An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution.” reads the analysis published by Cisco Talos. “An attacker can send a malicious SQL command to trigger this vulnerability.”
The flaw, tracked as CVE-2019-5018 affects SQLite 3.26.0, 3.27.0 and received CVSS 3.0 score 8.1.
SQLite is a C-language library that implements a small, fast, self-contained, high-reliability, full-featured, SQL database engine.
SQLite implements the Window Functions feature of SQL, after parsing a SELECT statement containing a window function, the SELECT statement is transformed using the sqlite3WindowRewrite function.
Experts discovered that the process implemented by SQLite to handle the functions includes reusing a deleted partition.
“Looking back at the original sqlite3WindowRewrite function, this deleted partition is reused after the rewrite of the expression list ” continues the analysis.
“After this partition is deleted, it is then reused in exprListAppendList , causing a use after free vulnerability, resulting in a denial of service. If an attacker can control this memory after the free, there is an opportunity to corrupt more data, potentially leading to code execution.”
Talos published technical details of the vulnerability that was addressed with the released of SQLite version 3.28,
Timeline for the vulnerability is:
2019-02-05 – Vendor Disclosure
2019-03-07 – 30 day follow up with vendor; awaiting moderator approval
2019-03-28 – Vendor patched
2019-05-09 – Public Release