ASA-2018-00093 – SQLite: Integer overflow in FTS3 queries

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2018-00093

Identifier(s)

ASA-2018-00093, CVE-2018-20346

Title

Integer overflow in FTS3 queries

Vendor(s)

D. Richard Hipp

Product(s)

SQLite

Affected version(s)

SQLite before 3.25.3

Fixed version(s)

SQLite 3.25.3

Proof of concept

Yes

Description

SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.

Technical details

Unknown

Credits

Tencent Blade Team

Reference(s)

Bug 1659379 – sqlite: Multiple flaws in sqlite which can be triggered via corrupted internal databases (Magellan) [NEEDINFO]
https://bugzilla.redhat.com/show_bug.cgi?id=1659379

Bug 1659677 – sqlite: Multiple flaws in sqlite which can be triggered via corrupted internal databases (Magellan) [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1659677

Re: [sqlite] Claimed vulnerability in SQLite: Info or Intox?
https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg113218.html

Magellan
https://blade.tencent.com/magellan/index_en.html

Stable Channel Update for Desktop
https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html

sqlite: Upgrade to the 3.25.3 code in M72.
https://chromium.googlesource.com/chromium/src/+/c368e30ae55600a1c3c9cb1710a54f9c55de786e

SQLite Release 3.25.3 On 2018-11-05
https://www.sqlite.org/releaselog/3_25_3.html

Multiple remote code execution flaws in sqlite (Magellan)
https://access.redhat.com/articles/3758321

Crash Chrome 70 with the SQLite Magellan bug | Worth Doing Badly
https://worthdoingbadly.com/sqlitebug/

EXPLOITING THE MAGELLAN BUG ON 64-BIT CHROME DESKTOP
https://blog.exodusintel.com/2019/01/22/exploiting-the-magellan-bug-on-64-bit-chrome-desktop/

SQLite Vulnerability Fix
https://electronjs.org/blog/magellan-fix

CVE-2018-20346
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20346

CVE-2018-20346
https://nvd.nist.gov/vuln/detail/CVE-2018-20346

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 12, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.