frontpage hit counter Skip to content
Wararka Mobiles iyo Falanqeynta, Talooyinka Ciyaaraha, Qalabka!

Baadhitaanka ‘Check Point Research’ wuxuu ku ogaadaa nuglaanshaha SQLite ee u oggolaanaya jabsiga iPhone

Check Point Research discovers vulnerabilities in SQLite that allow hacking an iPhone

Baadhitaanka ‘Check Point Research’ wuxuu ku ogaadaa nuglaanshaha SQLite ee u oggolaanaya jabsiga iPhone.

  • SQLite waa nidaamka maareynta xogta ee ay ku keydsan yihiin xiriirada iPhone-ka
  • Nidaamyada kale ee adeegsada SQLite waa Windows 10, MacOS, Chrome, Safari, Firefox iyo Android

Check Point® Software Teknolojiyada Ltd. (NASDAQ: CHKP), oo ah shirkad caalami ah oo fidiya internetka internetka, ayaa heshay nuglaanta saameynta ku leh SQLite, nidaamka maareynta xogta ugu badan ee adduunka laga isticmaalo. Iyada oo loo marayo nuglaantahan, cybercriminal wuxuu ku heli karaa xakameynta iPhone, maaddaama xiriirada aaladahaan lagu keydiyo keydka noocan ah.

In kasta oo ay dadku aaminsan yihiin in iPhones ay yihiin aalad nabdoon, nuglaantaasna waxay muujineysaa in sidoo kale la jabin karo. Waa muhiim in isticmaaleyuhu tixgeliyo amniga kombiyuutarada iyo taleefannadooda gacanta, maadaama isticmaale uu xakameyn karo oo xadi karo dhammaan macluumaadka keydsan, “ayuu yiri Eusebio Nieva, oo ah agaasimaha farsamada ee Check Point ee Spain iyo Boortaqiiska.

SQLite Waa nidaam maamul oo xog uruurineed oo laga heli karo dhammaan nidaamyada hawlgalka, kumbuyuutarrada iyo taleefannada gacanta. Tusaale ahaan, Windows 10, MacOS, iOS, Chrome, Safari, Firefox iyo Android waa isticmaale caan ah oo SQLite ah. Ahaanshaha mid ka mid ah kumbuyuutarrada adduunka loo adeegsado, barnaamijyo badan ayaa ku jira ujeedooyin kala duwan. Tusaale ahaan, marka lagu daro kiiska iPhone, Macs sidoo kale waxay keydisaa qaar ka mid ah furayaasha sirta ah ee nidaamkan. Iyada oo loo marayo dayacnaannadaas, ayay suurtagal noqon lahayd in la xakameeyo nidaam kasta oo weydiya xog-ururinta ay gacanta ku hayso SQLite.

Marka la eego xaqiiqda ah in SQLite aad loo jecel yahay, waxaa jira suurtogallo aan dhammaad lahayn oo looga faa’iideysan karo dayacnaannadaas. Check Point wuxuu abuuray demo si uu ugu caddeeyo macruufka iPhone-ka, kaas oo lagu soo bandhigay dhacdada Def Con 2019. Adoo ka faa’ideysanaya nuglaantaas, waxaa suuragal ah in laga dhuunto habka kabaha aaminka ah ee Apple oo laga helo rukhsadda maamulka ee iPhone-kii ugu dambeeyay. Check Point wuxuu hormuud ka ahaa muujinta nuglaanta SQLite ee aan ku xirneyn biraawsarka.

Illaa iyo hadda, la tashiga xog ururinta waligeed looma tixgelin inay qatar tahay, laakiin cilmi baaristeena ayaa muujisay inay taasi jiri karto. Sababta oo ah SQLite aad bay caan u tahay, nuglaantaasi waxay fursad weyn u noqotay ka faa’iideysiga. Khalad daran SQLite waa khalad aad u xun qaar ka mid ah teknoolojiyadda dunida loo adeegsado, sida iPhone, Dropbox, Adobe ama Skype ”, ayuu soo gabagabeeyey Nieva.

Hubinta Check waxaa ku jira nidaamyadeeda xal u helida nabadgeliyada ee ka hortagga ah ee loo yaqaan ‘IPS’ oo hubiya in isticmaaleyaashu uusan saameyn doonin jebinta barnaamijyada noocaan ah.

Macluumaad dheeri ah oo ku saabsan dayacankaasi, fadlan booqo: https://research.checkpoint.com/select-code_execution-from-using-sqlite/

Waxaan kaaga tageynaa galitaanka.

Hel code dil ah adoo adeegsanaya xog SQLite xaasidnimo leh Daraasad ay sameeyeen: Omer Gull

SQLite waa mid ka mid ah barnaamijyada software-ka adduunka laga hirgaliyo. Si kastaba ha noqotee, marka laga eego dhinaca amniga, waxaa lagu baaray kaliya muraayadaha WebSQL iyo ka faa’iideysiga biraawsarka. Waxaan aaminsanahay inay tani tahay taranka barafka.

Baadhitaankeenna muddada-dheer, waxaan ku tijaabinaynaa ka faa iideysiga dhibaatooyinka musuqmaasuqa xusuusta ee ka dhex jira SQLite iyada oo aan la isku halleynayn deegaan kale oo aan ahayn luuqadda SQL. Anagoo adeegsanayna afduubka su’aal weydiinta hal abuurka iyo farsamooyinka barnaamij ku-saleysan ee suugaanta ah, waxaan muujineynaa inay suurta gal tahay in si aamin ah looga faa iideysto arrimaha la xiriira musuqmaasuqa mashiinka SQLite. Waxaan ku soo bandhigeynaa farsamooyinkan labo xaalado oo adduunka-dhabta ah ah: abuur abuur sirta ah oo xadaya server-ka oo aan ku gaarno adkeysi u lahaanshaha macruufka.

Waxaan rajeyneynaa in marka la bilaabo baaritaankayaga iyo qaabkeena, bulshada cilmi baarista amniga lagu dhiiragalin doono inay kusii waddo baaritaanka SQLite duruufaha aan tirin karin ee laga heli karo. Marka la eego xaqiiqda ah in SQLite si ficil ahaan loogu dhex daro dhammaan nidaamyada hawlgalka waaweyn, kumbuyuutarrada desktop ama aaladaha mobilada, muuqaalka iyo fursadaha waa kuwo aan dhammaad lahayn. Intaa waxaa sii dheer, qaar badan oo ka mid ah aasaasiyadii halkan lagu soo bandhigay kuma eka SQLite oo waxaa loo gudbin karaa makiinadaha kale ee SQL. Ku soo dhowow adduunka cusub ee geesinimada leh ee adeegsiga luqadda weydiinta qaabeysan ee qaab dhismeedka aasaasiga ah ee dhiig-miirashada.

Dhiirigelinta

Baadhitaankan ayaa bilaabay goorta omriher oo waxaan eegay lambarka sirta ah ee qarsoon ee tuugta sirta ah ee sumcadda leh. In kasta oo ay jiraan wax badan oo iibiyayaal sirta ah ( Azorult , Loki Bot Y Pony, in la magacaabo dhowr), modus operandi waa isku mid:

Kombiyuutar ayaa bukooda isla markaana fayraska malware wuxuu qabtaa aqoonsiyo sida kaydinta keydinta dhowrka macaamiisha loo isticmaalo ama loo soo qaado.
Maaha wax aan caadi ahayn in software macmiilku u adeegsado xog-ururinta SQLite ujeeddooyinkaas oo kale.
Ka dib markay kombuyuutarku soo aruuriyaan faylashaas SQLite, waxay u dirtaa server-ka C2-da halkaas oo lagu falanqeeyo iyadoo la adeegsanayo PHP laguna keydiyo keydka macluumaadka oo ay ku jiraan dhammaan caddeyntii la xaday.

Akhrinta koodhka isha laga soo saarey ee tuugta sirta ah ee noocan oo kale ah, waxaan bilaabeynaa inaan ka fikirno dusha sare ee weerarka kor ku xusan.
Miyaan ka faa’iideysan karnaa soo qaadashada iyo la tashiga kayd keydka aan lagu kalsoonaan karin ee kaalmadeena?
Awoodda noocan oo kale ah waxay ku yeelan karaan saameyn weyn xagga duruufaha aan tirin karin, ilaa iyo SQLite waa mid ka mid ah qaybaha ugu badan ee barnaamijyada si ballaaran looga hirgaliyo .

Saldhig code adag oo la yaab leh, oo laga heli karo ku dhawaad ​​aalad kasta oo la malayn karo. Waa dhamaan dhiiri-galin aan u baahanahay, oo sidaas safkeenna ayaa bilaabmay.

Hordhac ku saabsan SQLite

Waxaa jira fursado badan oo aad hadda isticmaaleyso SQLite, xitaa hadaadan ogeyn.
Si loo tixraaco qorayaasha

SQLite waa maktabad luqadeed C ah oo fulisa mid yar, dhakhso badan, iskiis u madaxbannaan, isku-halayn sare leh, mashiinka xorta ee SQL-ga oo buuxa. SQLite waa mashiinka keydka macluumaadka adduunka laga isticmaalo. SQLite waxaa lagu dhex darayaa dhammaan taleefannada gacanta iyo kumbuyuutarrada badankood waxaana lagu soo daraa codsiyada tira-koobka ah ee ay dadku adeegsadaan maalin kasta.

Si ka duwan inta badan xogta kale ee ‘SQL’, SQLite ma laha hanaan server gooni ah. SQLite wuxuu akhriyayaa oo si toos ah ugu qoraa faylalka diskiga caadiga ah. Xog uruurin SQL oo dhameystiran oo leh jaantusyo badan, tusmooyin, kiciyayaal iyo aragtiyo ayaa kujira hal fayl disk ah.

Dusha kore

Qaybaha soo socdaa waa tusaale guud oo caddaalad ah tuugada furaha sirta ah.

Hubinta Baadhitaanka 'Point Point' waxay ogaataa nuglaanta SQLite ee u oggolaanaya jabsiga iPhone 1

Maaddaama aan xakameyno keydka macluumaadka iyo waxa ku jira, dusha sare ee weerarka ee diyaar noo ah waxaa loo qeybin karaa laba qaybood: rakibaadda iyo falanqaynta bilowga ah ee kaydkeena, iyo weydiinta xulashada ee ka soo horjeedka.

Xamuulka bilowga ah ee ay sameeyeen sqlite3_open runtii waa aag aad u kooban; Asal ahaan waa qadar fara badan oo ah rakibida iyo koodhka qaabeynta si loo furo kaydinta macluumaadka. Dusha sare inta badan waa falanqaynta madax kaas oo lagu tijaabiyo dagaalka ka dhanka ah AFL.

Waxyaabaha ayaa sii xiiso badan marka aan bilowno la tashiga xog uruurinta.
Adeegsiga ereyada qorayaasha SQLite:

“Bayaanka XULASHADA waa amarka ugu adag ee luuqada SQL.”

In kasta oo aannan awood u lahayn xakamaynta su’aasha lafteeda (maadaama lagu gartay hadafkeena), barashada taxaddarka si taxaddar leh ayaa faa’iido u leh raadinta dhiig-miirashada.

Bacdamaa SQLite3 ay tahay mashiin dalwaddii, qoraal kasta oo SQL waa in marka hore lagu soo daraa barnaamijka ‘code’ byte code iyadoo la adeegsanayo mid ka mid ah howlaha joogtada ah sqlite3_prepre * .
Hawlaha kale ee ka mid ah, hawsha diyaarinta ayaa baafisa oo fidisa dhammaan aag hoosaadyada Dooro. Qayb ka mid ah geeddi-socodkan ayaa ah in la hubiyo in dhammaan walxaha la xiriira (sida miisaska ama aragtida) runtii ay jiraan oo lagu dhigo qorshaha guud.

sqlite_master iyo DDL

Macluumaad kasta oo SQLite ah wuxuu leeyahay a sqlite_masterjadwalka qeexaya nidaamka kaydinta macluumaadka iyo dhammaan walxaha (sida miisaska, aragtida, tilmaamaha, iwm.).
Miiska salka loo yaqaan ‘sqlite_master’ waxaa loo qeexay sida:

Baadhitaanka 'Check Point Research' wuxuu ku ogaadaa nuglaanshaha SQLite ee u oggolaanaya jabsiga iPhone 2

Qaybta na danta gaarka ah noo leh waa column sql.
Qeybtan waa DDL (luqadda qeexitaanka macluumaadka) ee loo isticmaalo in lagu qeexo shayga.
Dareen ahaan, amarrada DDL waxay la mid yihiin faylalka madaxa C. Amarada DDL waxaa loo isticmaalaa in lagu qeexo qaabdhismeedka, magacyada iyo noocyada haamaha macluumaadka gudaha kaydka macluumaadka, sida faylka madaxa. Waxay guud ahaan qeexaysaa qeexitaanka noocyada, dhismayaasha, fasallada iyo qaababka kale ee xogta.

Hadaladaa DDL runti waxay ku muuqdaan qoraalka cad hadaan kormeerno faylka keydka macluumaadka:

Baadhitaanka 'Check Point Research' wuxuu ku ogaadaa nuglaanshaha SQLite ee u oggolaanaya jabsiga iPhone 3

Inta lagu gudajiray diyaarinta su aasha, sqlite3LocateTable () wuxuu isku dayaa inuu helo qaab dhismeedka xusuusta kaasoo qeexaya miiska aan daneyneyno inaan ka tashano.

sqlite3LocateTable () ayaa aqrinaya nidaamka mashruuca ee laga heli karo sqlite_master, hadii ay tahay markii ugu horeysay ee ay sameyso, waxay sidoo kale leedahay dib u soocelin natiijo kasta oo cadeynaysa in cadeynta DDL ay ansax tahay islamarkaana ay abuureyso qaab dhismeedka macluumaadka ee lagama maarmaanka ah ee qeexaya shayga su’aasha laga qabo.

Gawaarida DDL

Waxaan la yaabanahay hadii aan wax ka baranay habkaan diyaarinta, ma waxaan si fudud u bedeli karnaa qoraalka cad ee DDL gudahiisa feylka? Haddii aan ku durayo SQL noo gaar ah faylka, laga yaabee inaan saameyn ku yeelan karno dhaqankeeda.

Hubinta Baadhitaanka 'Point Point' waxay ogaataa nuglaanta SQLite ee u oggolaanaya jabsiga iPhone 4

Sida ku xusan qodobka kore ee koodhka, waxay umuuqataa in tilmaamaha DDL ay ku bilaabmayaan “abuur.”
Iyadoo maskaxda lagu hayo, waxaan u baahan nahay inaan qiimeyno dusha sare.
Hubinta dukumiintiyada SQLite ayaa shaaca ka qaaday in kuwani ay yihiin walxaha suurtagalka ah ee aan abuuri karno:

Baadhitaanka 'Check Point Research' wuxuu ku ogaanayaa nuglaanshaha SQLite ee u oggolaanaya jabsiga iPhone 5

Amarka ‘CREATE VIEW’ wuxuu ina siiyay fikrad xiiso leh. Si aad u dhigto mid si fudud, VIEWs waa kaliya bayaannada XULASHADA horay loo soo diyaariyey. Haddii aan ku beddelno miiska la filayo barnaamijkii bartilmaameedka oo leh VISTA la jaan qaada, fursado xiiso leh ayaa la muujiyay.

Afduuba su’aal kasta

Qiyaas seenyada soo socota:
Xogta asalka ah waxay leedahay TABLE gaar ah oo loo yaqaan ‘dummy’ oo lagu qeexay sidan:

Baadhitaanka 'Check Point Research' wuxuu ku ogaadaa nuglaanshaha SQLite ee u oggolaanaya jabsiga iPhone 6

Software bartilmaameedka ayaa ka tashanaya waxyaabaha soo socda:

Baadhitaanka 'Check Point Research' wuxuu ku ogaanayaa nuglaanshaha SQLite ee u oggolaanaya jabsiga iPhone 7

Xaqiiqdii, waan afduubi karnaa weydiintan haddii aan u abuurno dumme sida Muuqaal ah:

Baadhitaanka 'Check Point Research' wuxuu ku ogaadaa nuglaanshaha SQLite ee u oggolaanaya jabsiga iPhone 8

Qormadan ‘VET’ waxay noo oggolaaneysaa inaan afduubno weydiimaha, taas oo micnaheedu yahay inaan sameysanno su’aal cusub oo taas ah Gabi ahaanba waan xakameyneynaa.

Baadhitaanka 'Check Point Research' wuxuu ku ogaadaa nuglaanshaha SQLite ee u oggolaanaya jabsiga iPhone 9

Farsamadan ayaa si ballaadhan u ballaadhineysa dusha sare ee weerarka, laga bilaabo falanqaynta ugu yar ee cinwaanka iyo su’aal aan la xakamayn karin oo ay sameeyeen barnaamijyada xamuulka, illaa heer aan hadda kula falgalin karno qaybo ballaadhan oo ah tarjumaanka SQLite annagoo ku sii dhejinayna DDL oo aan abuurno aragtideena . oo leh aaladda hoosaadka

Imika oo aan la falgali karno turjubaanka SQLite, su’aasheena xigta waxay ahayd midii hore ee dhiigmiiradka loogu dari lahaa SQLite? Ma u oggolaanayaa amar kasta oo nidaam ah inuu akhriyo ama u qoro nidaamka faylka?

Maaddaama aanaan ahayn kii ugu horreeyay ee aan ku aragno awoodda weyn ee SQLite marka loo eego aragtida dhiig-miirashada, waxay macno u leedahay dib-u-eegista shaqadii hore ee laga qabtay duurka. Waxaan ka bilaabeynaa aasaaska.

Cirbadaha SQL

Baarayaasha ahaan, way nagu adagtahay inaan xitaa higgaadino SQL oo aan lahayn “i”, sidaa darteed waxay umuuqataa meel macquul ah oo lagu bilaabi karo. Ka dib oo dhan, waxaan rabnaa inaan isku baranno waxyaabaha aasaasiga ah ee SQLite ay bixiso. Ma jiraa amar amarro ah? Ma qaadi karnaa maktabado sharci-darro ah?

Waxa ay u muuqataa Tilmaanta ugu fudud waa in lagu dhejiyo faylka keydka macluumaadka oo loo qoro iyada oo la adeegsanayo wax sida:

Baadhitaanka 'Check Point Research' wuxuu ku ogaadaa nuglaanshaha SQLite ee u oggolaanaya jabsiga iPhone 10

Waxaan ku lifaaqnaa xog cusub, waxaan sameyneynaa hal shax oo waxaan gelinaa hal sadar oo qoraal ah. Xog uruurinta cusub waxay abuureysaa fayl cusub (maadaama xogta keydku ay yihiin faylal ku jira SQLite) oo leh qolofta websaydhkeena gudaha.
Nooca cafin ee tarjumaanka PHP wuxuu falanqeynayaa xog uruurintayada ilaa uu ka gaaro calaamadda furan ee PHP ee “".
Qoritaanka qolofka shabakadda xaqiiqdii waa guul laga soo galo muuqaalkeena wax iibiya ee sirta ah, si kastaba ha noqotee, sidaad xasuusato, DDL kuma bilaabi karto «ATTACH»

Baadhitaanka 'Check Point Research' wuxuu ku ogaanayaa nuglaanshaha SQLite ee u oggolaanaya jabsiga iPhone 11

Xulashada kale ee laxiriira ayaa ah shaqada load_extension . In kasta oo howshani ay noo oggolaaneyso in aan uxirno shay la wadaago si aan sabab lahayn, waa naafo ahaan.

Burburka xusuusta ee SQLite

Sida software kale oo kasta oo ku qoran C, arrimaha xusuusta ayaa runtii ah wax laga fiirsado marka la qiimeynayo amniga SQLite.
Intiisa weyn boostada blog Michał Zalewski wuxuu sharraxay sida uu ugu biirey SQLite iyo AFL si uu u gaaro natiijooyin cajiib ah: 22 khaladaad 30 daqiiqo gudahood oo ah fuzzing.

Waxa xiiso leh, SQLite wuxuu bilaabay inuu u isticmaalo AFL qayb muhiim ah oo ka mid ah taxanaheeda cajiibka ah.

Musuqmaasuqaas xusuusta leh waxaa lagula dhaqmay si xoog leh oo la filayey (Richard Hip iyo kooxdiisu waxay mudan yihiin ixtiraam badan). Si kastaba ha noqotee, marka laga eego aragtida qofka wax weerara, khaladaadani waxay cadeyn u noqon lahaayeen wadada adag ee dhiig-miirashada iyadoo aan lahayn qaab wanaagsan oo looga faa’ideysto.
Yaraynta casriga ah waxay matalaysaa caqabada weyn ee ka faa iideysiga dhibaatooyinka musuqmaasuqa ee xasuusta leh kuwa wax weerara waxay u baahan yihiin in la helo bey’ad debecsan.

Beesha Daraasaadka Amniga waxay dhowaan heli doontaa hadafka ugufiican!

Shabakadda SQL

Websaydhka SQL Websaydhku waa bog bog oo API ah oo loogu talagalay kaydinta macluumaadka kaydinta xogta oo lagala tashan karo iyadoo la adeegsanayo noocyo kala duwan oo SQL ah iyada oo loo marayo JavaScript. Kooxda Shaqeynta Codsiyada Websaydhka ee W3C ayaa joojisay ka shaqeynta cayimista bishii Nofembar 2010, iyada oo la tixraacayo maqnaanshaha fulinno madax-bannaan oo aan ahayn SQLite.

Xilligan, API wuxuu wali la jaan qaadayaa Google Chrome, Opera iyo Safari.
Dhammaantood waxay u isticmaalaan ‘SQLite’ gadaal u ah API-kan.

Galitaanka aan la isku halleyn karin ee SQLite, lagana heli karo degel kasta oo ka mid ah daalacashada ugu caansan, ayaa soo jiidatay dareenka bulshada amniga, taasina waxay keentay, tirada nuglaanta ayaa bilaabay inay kordhaan.
Isla markiiba, khaladaadka ku jira SQLite waxaa isticmaali kara tarjumaanka JavaScript si loo gaaro ka faa’iideysiga kalsoonida ee biraawsarka.

Dhowr warbixinno cilmi-baaris oo cajiib ah ayaa la daabacay:

  • Miraha hoose sida CVE-2015-7036
    • Xusidda tilmaame no fts3_tokenizer lagu kalsoonaan karo ()
  • Xirfado aad u adag ayaa lagu soo bandhigay Blackhat 17 oo ay kooxda chaitin
    • Ku qor jahwareerka fts3OptimizeFunc ()
  • Khaladaadkii ugu dambeeyay ee Magellan ka faaidaystay Baxniintii
    • Dhexgalka qulqulka gudaha fts3SegReaderNext ()

Qaab cad oo kujira cilmi baarista WebSQL ee hore ayaa daaha ka qaaday in cutub miis dalxiis ah oo la yiraahdo “FTS” uu noqon karo ujeedo xiiso leh cilmi baaristayada

FTS

Raadinta qoraalka oo dhan (FTS) waa cutub miis dalxiis ah oo u oggolaanaya raadinta qoraalka qoraalka ah dhowr dukumiinti ah.
Marka laga eego aragtida qoraalka ‘SQL’, shaxda shaashadda leh waxay u egtahay miis kasta ama arag kasta. Laakiin gadaal ka daawo muuqaalka, weydiimaha kujira miis dalxiis ah waxay ugu yeeraan hababka dib ugu soocelinta miisaska halkii laga aqrin lahaa oo loo qori lahaa faylka keydka macluumaadka.

Qaar ka mid ah hirgelinta miiska dalwaddu, sida FTS, waxay isticmaalaan miisasyada xogta dhabta ah (kuwa aan-ahayn) si loo kaydiyo waxa ku jira.

Tusaale ahaan, marka xarig la geliyo miiska dalxiiska ee FTS3, metadata qaar waa in la soo saaraa si loogu oggolaado raadinta qoraalka wax ku oolka ah. Qalabka metadata-ka waxaa lagu keydiyaa miisaska dhabta ah ee loo yaqaan “% _segdir” iyo “% _severage”, halka nuxurka laftiisa lagu keydiyay “”% _xukummo “halka”% “uu yahay magaca miiska asaliga ah ee asalka ah.
Shaxannada dhabta ah ee kaabayaasha ah ee xogta ku jira miis dalxiis ah waxaa loo yaqaan “miisaska hooska”

Baadhitaanka 'Check Point Research' wuxuu ku ogaadaa nuglaanshaha SQLite ee u oggolaanaya jabsiga iPhone 12

Sababtoo ah dabeecadahooda aaminka ah, isdhaafsiga xogta gudbisa inta udhaxeysa miisaska hooska waxay siisaa dhul beereed qaladaad. CVE-2019-8457, – OOB cusub oo aqrin u nuglaanta laga helay barnaamijka miiska casriga ah ee RTREE, ayaa si fiican u cadeynaya.

Miisaska casriga ah ee loo yaqaan ‘RTREE’ ee miisaska ah, oo loo adeegsaday qaabeynta juqraafi ahaan, waxaa la filayaa inay ku bilowdo hal sadar. Sidaa darteed, qeybaha kale ee RTREE waxay filayaan safka koowaad ee RTREE inuu noqdo isku dhafan. Si kastaba ha noqotee, haddii aan abuurno miis halkaas oo tiirka koowaad uu yahay xarig, sida ku cad shaxanka soo socda, oo aan ugu gudubno isuduwaha rtreenode () , akhrinta OOB ayaa dhacda.

Baadhitaanka 'Check Point Research' wuxuu ku ogaadaa nuglaanshaha SQLite ee u oggolaanaya jabsiga iPhone 13

Hadda oo aan u adeegsan karno afduubka weydiinta si aan uga maareyno su’aalaha oo aan u ogaano halka laga helo nugul, waa waqtigii loo gudbi lahaa ka faa’ideysiga horumarka.

SQLite Internals ee looga faa’ideysto horumarka

Qoraalladii hore ee looga faa’idaystay SQLite waxay si cad u muujinayaan in jawiga duubista had iyo jeer loo baahdo, ha noqoto mutarjumka PHP ee lagu arkay arintan cajiibka ah boostada blog ku saabsan xadgudubka loo adeegsado tokenizer SQLite ama shaqadii ugu dambeysay ee Web SQL laga helo raaxada turjubaan JavaScript.

Maaddaama SQLite ay ficil ahaan meelkasta u muuqato, waxay umuuqatay mid aan ka dhabeynaynin ka faa’iideysigeeda waxaanan bilaabay inaan sahamino adeegsiga qaybaha SQLite gudaha ujeedooyin dhiig-miirasho.
Bulshada cilmi baaristu aad ayey ugu fiicnaatay adeegsiga JavaScript ee loogu talagalay horumarinta ka faa’iideysiga. Ma ku gaari karnaa horyaalyaal isku mid ah SQL?

Marka loo eego in SQL uu dhammeystiran yahay (( mid ), ( laba )), waxaan bilownay inaanu sameyno liis rabitaan hore oo loogu talagalay horumarinta ka faa’iideysiga iyadoo lagu saleynayo waaya aragnimadeena.
Faa’iido casri ah oo si gaar ah loogu qoro SQL wuxuu leeyahay awoodahan soo socda:

  • Xusuusta
  • Xirmidda iyo furfuridda isugeynta illaa ku-dhawaad ​​64-bit oo tilmaamayaal ah.
  • Feejignaan xisaabeedka
  • Ku raaxeysiga walxaha been abuur ee adag ee xusuusta ku jira.
  • Dhiig Bixinta

Midba mid, waxaan wax uga qaban doonnaa waxyaabahan aasaasiga ah waxaanan ka hirgalin doonnaa iyagoo adeegsanaya wax aan ahayn SQL.

Si loo gaaro RCE xagga PHP7, wali waxaan adeegsan doonnaa 1 maalmood Iyadoo aan la hagaajin ee CVE-2015-7036.

Rajada? Sidee bay u dhacday qalad 4 sano aan waligeed la hagaajin? Runtii waa sheeko xiise leh iyo tusaale weyn oo dooddeena ah.
Muuqaalkaani waxaa loo qaddarinaa kaliya mid jilicsan marka loo eego macnaha barnaamijka u oggolaanaya SQL sabab la’aan salka ilo aan aaminin (Web SQL), sidaa darteed ayaa loo naaqusay si ku habboon.
Si kastaba ha noqotee, adeegsiga SQLite waa mid aad u wanaagsan oo aan wali ku dhaqaajin karno duruufo badan.

Qorshaha Ciyaarta dhiig-miirashada

CVE-2015-7036 waa khalad aad u haboon in lala shaqeeyo.
Si fudud u dhig, hawsha fts3_tokenizer () Nugleeyuhu wuxuu soo celiyaa cinwaanka tokenizerka markii loogu yeero hal dood (sida “fudud”, “xardho” ama tokenizer kale oo diiwaangashan).

Baadhitaanka 'Check Point Research' wuxuu ku ogaadaa nuglaanshaha SQLite ee u oggolaanaya jabsiga iPhone 14

Markii loogu yeero 2 dood, fts3_tokenizer wuxuu kuxiraa cinwaanka tokenizer doodaha koowaad iyo cinwaanka uu bixiyay xannibaadda doodda labaad.
Ka dib markii la isticmaalay tokenizer gaar ah, tusaale kasta oo cusub oo ah miiska fts ee isticmaala tokenizer-kan wuxuu noo oggolaanayaa inaan afduubno socodka barnaamijka.

Baadhitaanka 'Check Point Research' wuxuu ku ogaanayaa nuglaanta SQLite ee u oggolaanaya jabsiga iPhone 15

Qorshaheenna looga faa’iideysto ka faa’iideysiga

  • Tokenizer cinwaanka daadinta
  • Xisaabi cinwaanka salka
  • Ku been abuurto been abuur been abuur ah oo fulin doona koodhkeena xun
  • Ku dhaaf mid ka mid ah mashiinnada tokenizer-yadayada weel-adeeyaha xun ee xun
  • Machadka miiska fts3 si aad ugu dhaqaaqdo koodhkeena xun

Hadda aan dib ugu laabto horumarinteenna ka faa’iideysiga.

Barnaamij-ku-saleysan barnaamijka ery

Waxaan ku faan nahay in aan soo bandhigno qaabkeenna gaarka ah ee horumarinta ka faa iideysiga annagoo adeegsaneyna luuqadda weydiinta qaabeysan ee la yaqaan. Waxaan la wadaagnaa QOP bulshada iyadoo rajo laga qabaa inay ku dhiirrigeliso cilmi-baarayaashu inay raadiyaan fursadaha aan dhammaadka lahayn ee looga faa’iideysto matoorada macluumaadka.
Mid kasta oo ka mid ah qaababka soosocda ee soo socda waxaa la socda tusaale ahaan qolofka loo yaqaan ‘sqlite3’.

In kasta oo ay tani ku siinayso waxoogaa ah waxa aad rabto inaad gaadho, maskaxda ku hay in yoolkayagu ugu dambayn yahay in lagu beero dhammaan kuwa horyaal miiska sqlite_master isla markaana la afduubo weydiimaha ay soo saareen kombuyuutarrada socdaalka ee xambaaraya ugana weecinaya faylkayaga xun ee SQLite db file.

Qulqulka xusuusta – Binary

Wax ka qabad la’aanta sida ASLR waxay xaqiiqdii kor u qaadday ka faa’iidaysiga musuqmaasuqa. Qaabka ugu caansan ee looga adkaan karo isaga waa in wax laga barto naqshada xusuusta ee nagu wareegsan.
Tan waxaa si weyn loogu yaqaanaa Memory Leak.
Xasuusta ayaa ah hoosaad u gaar ah oo nuglaanta, mid walbana wuxuu leeyahay qaabeynta waxyar.

Xaaladdayadu markay tahay, daadinta ayaa ah soo noqoshada BLOB ee SQLite.
BLOBsani waa bartilmaameed wanaagsan oo baxsasho ah, maaddaama mararka qaar ay kujiraan tilmaamayaal.

Baadhitaanka 'Check Point Research' wuxuu ku ogaadaa nuglaanshaha SQLite ee u oggolaanaya jabsiga iPhone 14

Fts3_tokenizer nugul () waxaa loogu yeeraa hal dood oo wuxuu soo celiyaa cinwaanka xusuusta ee tokenizerka la codsaday. hex () waxa Waxay ka dhigaysaa aadanaha mid la aqrin karo
Sida iska cad waxaan helnay cinwaan xusuusta qaar ka mid ah, laakiin waxaa loo rogayaa hoos udhaca hooseeya awgeed.
Hubaashii waxaan ku duubi karnaa annaga oo adeegsanayno qaar ka mid ah hawlgallada xarig-isweydaarsiga ee SQLite.

Hubinta Baadhitaanka 'Point Point' waxay ogaataa nuglaanta SQLite ee u oggolaanaya jabsiga iPhone 17

Str Qodax () Waxay u muuqataa inay tahay mid kufiican! Waxaan akhrin karnaa BLOB yare yar, laakiin tani waxay kicineysaa su’aal kale: sidee wax u keydisaa?

Silsiladda QOP

Caadi ahaan, kaydinta macluumaadka SQL waxay u baahan tahay bayaan INSERT ah. Sababo la xiriira xaqiijinta la xoojiyay ee salka ku haysa sqlite_master, ma isticmaali karno INSERT maaddaama dhammaan bayaannada ay waajib ku tahay inay ku bilowdaan “CREATE”. Qaabka aan u wajahayno caqabadan ayaa ah in si fudud loogu kaydiyo weydiimaheena iyada oo loo marayo macno VISTA macno leh oo aannu silsilad ku xirno.
Tusaalaha soo socdaa wuxuu waxyar ka sii dhiganayaa:

Baadhitaanka 'Check Point Research' wuxuu ku ogaanayaa nuglaanshaha SQLite ee u oggolaanaya jabsiga iPhone 18

Tan waxaa laga yaabaa inaysan u muuqan wax farqi weyn, laakiin maadaama silsiladdeenu ay sii fududaanayso, awood u lahaanshaha adeegsiga erayada ayaa hubaal ah inay nolosheena sahlayaan.

Fureynta 64-bit ee tilmaamayaasha

Haddii aad waligaa la soo kulantay caqabado qoditaan, fikradda xirxiridda iyo furfuridda wax tilmaamaya maahan inay noqdaan wax la yaab leh.
Nidaamkani waa in uu fududeeyo u beddelashada qiimaheena hexadecimal (sida daadinta aan hada ku soo baxnay) oo loo gudbiyo iskudhafyada. Markaanu sidaa yeelno waxay noo oggolaaneysaa inaan ku xisaabno dhowr xisaab oo ku saabsan tilmaamahan tallaabooyinka soo socda.

Baadhitaanka 'Check Point Research' wuxuu ku ogaanayaa nuglaanta SQLite ee u oggolaanaya jabsiga iPhone 19

Weydiintan waxay ku soo qaadaysaa silsilad hexadecimal silsilad ah iyadoo la adeegsanaayo char iyadoo gadaal loo adeegsanayo badal ().

Tarjumaadda dabeecaddan waxaa lagu sameeyaa iyadoo la adeegsanayo tan khiyaano xariifnimo leh la-qabsiga yar ee instr () taas oo salka ku haysa 1.
Waxa hadda loo baahan yahay oo keliya ayaa ah saxda saxda ah ee dhinaca calaamadda *.

Astaamaha xisaabta

Xisaabinta farta tilmaameedka waa howl si fudud u fudud oo leh jiheeyaha gacanta kujira. Tusaale ahaan, ka soo qaadida salka muuqaalka sawirkayaga tokenizer sifeysan waa sida fudud:

Baadhitaanka 'Check Point Research' wuxuu ku ogaanayaa nuglaanta SQLite ee u oggolaanaya jabsiga iPhone 20

Baakadaha 64-bit tilmaamaya.

Ka dib markaan aqriyo tilmaamayaasha la sixiray oo aan u adeegsanayno dardaarankayaga, waxay macno u leedahay inaan mar labaad ku soo dhejino qaabkoodii yaraa si aan meel uun ugu qorno.
SQLite char () Waa in loo isticmaalaa halkaan, maaddaama dukumiintiyadeeda ay muujineyso in “ay soo celin doonto xarig ka kooban xuruuf ay leeyihiin qiimaha dhibicda ‘Unicode code code’ ee dhalada.
Waxay u rogtay inay sifiican u shaqeyso, laakiin kaliya xadidan xadidan oo kooban

Baadhitaanka 'Check Point Research' wuxuu ku ogaadaa nuglaanshaha SQLite ee u oggolaanaya jabsiga iPhone 21

Xiriiriyayaal waaweyn ayaa loo tarjumay dhibco-koodhkooda 2-baloog ah.
Ka dib markii aan madaxayaga garaacnay dukumiintiyada SQLite, waxaan si lama filaan ah u aragnay epiphany la yaab leh: ka faa’ideysigayagu run ahaantii waa xog uruurin.
Waxaan horay u sii diyaarin karnaa miis u qoondeeya isku dhafnaanta qiyamka ay rajeynayaan.

Hubinta Baadhitaanka 'Point Point' waxay ogaataa nuglaanta SQLite ee u oggolaanaya jabsiga iPhone 22

Haddaba weydiimaheena xirxirayaasha tilmaamayaasha ayaa ah sida soo socota:

Baadhitaanka 'Check Point Research' wuxuu ku ogaadaa nuglaanshaha SQLite ee u oggolaanaya jabsiga iPhone 23

Ku raaxeysiga walxaha been abuur ee adag ee xusuusta ku jira

Qoritaanka hal tilmaame ayaa runtii waxtar leh, laakiin weli kuma filna. Inbadan oo ka mid ah xaaladaha murugada ee dhibka xusuusta leh waxay ubaahan yihiin kuwa wax weerara inay sameyaan shay ama qaab dhismeedka xusuusta ama xitaa qoraan xarig ROP ah.

Muhiimad ahaan, waxaan isku xiri doonaa dhowr qeybood oo dhismayaasha kor lagu soo sheegay.
Tusaale ahaan, aynu sameysano tokenizer u gaar ah, sida lagu sharaxay halkan .
Tokenizerkeena been abuurka ah waa inuu raacaa interface ka sugaya SQLite halkan lagu qeexay:

Baadhitaanka 'Check Point Research' wuxuu ku ogaadaa nuglaanta SQLite ee u oggolaanaya jabsiga iPhone 24

Adigoo adeegsanaya qaababkii aan kor ku soo sheegnay iyo weydiimaha fudud ee JOIN, waxaan si been ah u been sheegi karnaa sheyga la doonayo.

Baadhitaanka 'Check Point Research' wuxuu ku ogaanayaa nuglaanta SQLite ee u oggolaanaya jabsiga iPhone 25

Markaan ku hubineyno natiijada soo-saare heer hoose ah, waxaan aragnaa in dhab ahaantii la abuuray shey been abuur been abuur ah.

Baadhitaanka 'Check Point Research' wuxuu ku ogaanayaa nuglaanta SQLite ee u oggolaanaya jabsiga iPhone 26

Buufin ku buufi

Hadda oo aan abuurnay sheydeena been abuurka ah, waxaa mararka qaar faa’iido u leh in lagu buufiyo tuubada.
Sida ugu habboon, tani waa inay noqotaa qaab ku celcelin ah kan dambe.

Nasiib darrose, SQLite ma hirgaliso barnaamijka REPEAT () sida MySQL.
Laakiin si kastaba ha ahaatee, tan Xargaha ayaa ina siiyay xallin qurux badan.

Baadhitaanka 'Check Point Research' wuxuu ku ogaadaa nuglaanshaha SQLite ee u oggolaanaya jabsiga iPhone 27

Hawsha eberblob (N) Waxay soo noqotaa BLOB oo ka kooban N bates marka la isticmaalayo beddelo () in lagu bedelo ዜgtaas wax aan been ahayn.

Raadinta kuwa 0x41 waxay muujineysaa inaan sidoo kale ku gaarno isku xirnaan buuxda. La soco ku celcelinta 0x20 bayaan walba.

Hubinta Baadhitaanka 'Point Point' waxay ogaataa nuglaanshaha SQLite ee u oggolaanaya jabsiga iPhone 28

Bixinta xusuusta: tuubada

Markaan eegeyno qorshahayaga ciyaarta dhiig-miirashada, waxay umuuqataa inaan ku dhaqaaqno dhanka saxda ah.
Waxaan horeyba u ognahay halka ay ku taal muuqaalka binary, waxaan ka jareyn karnaa halka ay ku yaalliin howlaha muhiimka ah oo aan ku buufin karno astaamaha bulsheed ee xun.

Hadda waa waqtigii la tirtiri lahaa tokenizer-ka mid ka mid ah alaabadayada la buufiyey. Si kastaba ha noqotee, maaddaama jihada tuulku sidoo kale ay tahay mid bakhtiyaa-nasiibka ah, garan mayno halka lagu buufiyay.
Meel ku daadinta tuubada waxay u baahan tahay nugul kale.

Mar labaad, waxaan farta ku fiiqaynaa miiska istaraatiijiga ah ee miiska ah
Maaddaama miisaska gaarka loo leeyahay ay adeegsadaan miisaska hooska hoostiisa, waa wax iska caadi ah tilmaamayaasha cad inay dhex maraan isweydaarsiga kala duwan ee SQL.

Fiiro gaar ah: Noocan saxda ah ee dhibaatada ayaa la yareeyay SQLite 3.20 . Nasiib wanaagse, PHP7 waxaa lagu soo diyaariyey nooc hore. Xaaladda nooca la cusbooneysiiyay, CVE-2019-8457 ayaa sidoo kale loo isticmaali karaa halkan.

Si loo sifeeyo cinwaanka tuubada, waxaan u baahan nahay inaan soo saarno miis fts3 ah horayna aan u isticmaalno qaab aaladda ‘MATCH interface’.

Baadhitaanka 'Check Point Research' wuxuu ku ogaadaa nuglaanshaha SQLite ee u oggolaanaya jabsiga iPhone 29

Sidaan ku aragnay xasuuskeynteena koowaad, tilmaamahu waa mid yar oo aan caadi aheyn, marka waa in dib loo noqdaa. Nasiib wanaag, waxaan horeyba u ognahay sida aan ugu sameysan karno ‘SUBSTR (‘).
Hadda oo aan ognahay meeshayaga kaydsan ee firfircoon oo si habboon u buufin kara, ugu dambayntiina waxaan kaga takhalusi karnaa tokenizer-ka qalabka tokenizer!

Isku soo wada duub

Iyada oo gacanta lagu hayo dhammaan waxyaabihii lagudambeeyay ee gacanta laga qabtay, waxaa la joogaa waqtigii aan ku laaban lahayn meeshii aan ka bilownay: ka faa’iidee tuug sirta ah ee C2.

Sida kor lagu sharaxay, waxaan u baahan nahay inaan dejino “dabin” Fiiri si aan u bilowno ka faa’iideysiga. Sidaa darteed, waa inaan eegnaa ujeedkeena oo aan diyaarinnaa VISTA saxda ah.

Hubinta Baadhitaanka 'Point Point' waxay ogaataa nuglaanta SQLite ee u oggolaanaya jabsiga iPhone 1

Sida lagu soo arkay guntin kor ku xusan, yoolkeennu wuxuu rajaynayaa xog uruurintayadu inay lahaato shax la yiraahdo Notes oo leh tiir la yiraahdo BodyRich gudaha. Si loo afduubo su’aashan, waxaan u abuurnaa VIEW soo socota

Check Point Research discovers vulnerabilities in SQLite that allow hacking an iPhone 31

After consulting Notes, 3 QOP strings are executed. Let’s analyze the first one.

heap_spray

Our first QOP chain should fill the heap with a lot of our malicious tokenizer.

Check Point Research discovers vulnerabilities in SQLite that allow hacking an iPhone 32

p64_simple_create, p64_simple_destroy and p64_system are essentially all chains achieved with our leakage and packing capabilities.

For example, p64_simple_create is constructed as:

Check Point Research discovers vulnerabilities in SQLite that allow hacking an iPhone 33

Check Point Research discovers vulnerabilities in SQLite that allow hacking an iPhone 34

As these chains get very complex, very fast, and are quite repetitive, we create QOP.py .
QOP.py simplifies things a bit by generating these queries in pwntools style.
Creating the above statements becomes as easy as:

Check Point Research discovers vulnerabilities in SQLite that allow hacking an iPhone 35

Manifestation

COMMIT;

Now that we have established a framework to exploit any situation in which the interrogator cannot be sure that the database is not malicious, let’s explore another interesting use case for the exploitation of SQLite.

IOS persistence

Persistence is difficult to achieve in iOS, since all executable files must be signed as part of the Secure Boot of Apple. Fortunately for us, the SQLite databases are not signed.

Using our new capabilities, we will replace one of the commonly used databases with a malicious version. After the device restarts and our malicious database is consulted, we obtain the code execution.

To demonstrate this concept, we replaced the contact database «AddressBook.sqlitedb». As was done in our PHP7 exploit, we created two additional DDL statements. One DDL statement overrides the default “simple” tokenizer, and the other DDL statement triggers the crash when trying to create an instance of the voided tokenizer. Now, all we have to do is rewrite each table in the original database as a view that hijacks any queries made and redirect it to our malicious DDL.

Check Point Research discovers vulnerabilities in SQLite that allow hacking an iPhone 36

Check Point Research discovers vulnerabilities in SQLite that allow hacking an iPhone 37

Replace db contacts with our malicious db contacts and restart the results in the following iOS block:

Check Point Research discovers vulnerabilities in SQLite that allow hacking an iPhone 38

As expected, the contact process was blocked at 0x414141414141414149 where we expected to find the xCreate constructor of our fake tokenizer.

In addition, db contacts are shared among many processes. Contacts, Facetime, Springboard, WhatsApp, Telegram and XPCProxy are just some of the processes that consult it. Some of these processes are more privileged than others. Once we prove that we can execute code in the context of the consultation process, this technique also allows us to expand and elevate our privileges.

Our research and methodology have been disclosed in a responsible manner to Apple and they were assigned the following CVE:

  • CVE-2019-8600
  • CVE-2019-8598
  • CVE-2019-8602
  • CVE-2019-8577

Future work

Given the fact that SQLite is practically integrated into almost any platform, we believe that we have barely scratched the tip of the iceberg when it comes to its exploitation potential. We hope that the security community will take this innovative research and the tools launched and push it further. A couple of options that we think might be interesting to follow are

  • Creating more versatile feats. This can be done by dynamically building exploits by choosing the relevant QOP gadgets from prefabricated tables using functions such as sqlite_version () ama sqlite_compileoption_used () .
  • Achieve stronger exploitation primitives such as arbitrary R / W.
  • Busque otros escenarios en los que el interrogador no pueda verificar la confiabilidad de la base de datos.

conclusion

Establecimos que simplemente consultar una base de datos puede no ser tan seguro como espera. Usando nuestras técnicas innovadoras de Secuestro de consultas y Programación orientada a consultas, demostramos que los problemas de corrupción de memoria en SQLite ahora pueden ser explotados de manera confiable. A medida que nuestras jerarquías de permisos se vuelven más segmentadas que nunca, está claro que debemos repensar los límites de la entrada SQL confiable / no confiable. Para demostrar estos conceptos, logramos la ejecución remota de código en un backend de robo de contraseñas que ejecuta PHP7 y obtuvimos persistencia con mayores privilegios en iOS. Creemos que estos son solo un par de casos de uso en el panorama interminable de SQLite.

El producto Check Point IPS protege contra esta amenaza: «SQLite fts3_tokenizer Ejecución remota de código de puntero no confiable (CVE-2019-8602)».