SQLite creator fires back at Tencent’s bug hunters

The creator of SQLite, an open source database management system used in thousands of applications, has downplayed reports of a bug that could lead to remote code execution.
The Tencent Blade security research team reported the bug, called Magellan, in both SQLite and the open-source Chromium browser, which uses a version of the database. They said:

This vulnerability can be triggered remotely, such as accessing a particular web page in a browser, or any scenario that can execute SQL statements.

Developed in 2000, SQLite has become one of the most commonly-used open source programs and is a part of many other applications, including the Chrome, Safari and Firefox browsers and numerous back-end web application frameworks. You’ll find it widely used in apps on many plaftforms, including mobile phones and IoT (Internet of Things) devices. Those devices can be especially difficult to update in the field.
Tencent warned that the bug could be serious given the product’s “wide range of influence”. However, SQLite’s creator Dr Richard Hipp told Naked Security:

[Tencent] are highly motivated to spin this as a huge finding. A huge bug that’s going to affect a lot of people and I believe that they have exaggerated things for that purpose. Some news organizations have picked it up and said that millions of applications are affected by this and that’s just not true.

He argued in a tweet that the bug isn’t nearly as bad as reports make it out to be:

Reports of an RCE vulnerability in SQLite are greatly exaggerated. Some clever gray-hats found a way to get RCE using maliciously crafted SQL. So, IF you allow random internet users to run arbitrary SQL on your system, you should upgrade. Otherwise, you are not at risk.

— D. Richard Hipp (@DRichardHipp) December 15, 2018

Whereas many SQL databases operate as servers separate to the main application, SQLite is a serverless embedded database. Developers link its software library into their application code and it hosts everything, including the database schemas and data, in a single disk file.
While application software using the database would normally shield it from direct user access, security could be an issue if the application allows an attacker to mount the exploit. This seems to be the case with Google Home, the voice-activated speaker that relies on SQLite internally. The researchers said that they successfully exploited that product.
The flaw lies not in the core SQLite engine itself, but in FTS3, a full-text search module that developers can use with the system. Sending SQL commands to FTS3 can trigger the flaw. An attacker might do that by directing an application using SQLite to visit a malicious website, which could then send the SQL commands using JavaScript.
A successful exploit could enable an attacker to leak program memory (a possible security danger), crash a program, or in the worst case execute code remotely on the system, Tencent Blade’s researchers said.
That’s unlikely in most cases, responded Hipp:

You need a combination of things. You have to be able to execute arbitrary SQL and you have to have FTS3 enabled, and in those cases you can get a remote code execution.

Hipp added that Google Chrome, which is built on Chromium, was vulnerable to this because it allowed SQL queries to FTS3 via Web SQL Database, a now-deprecated mechanism based on SQLite that allowed websites to directly query embedded databases via SQL. Hipp continued:

For the vast majority of applications that do not have an SQL injection problem, or do not enable full text search 3, there’s no impact to them at all.

The SQLite development team has patched the code and added a new feature that Hipp says will add more protection against any similar issues in the future. The latest update describes it thus:

Added the SQLITE_DBCONFIG_DEFENSIVE option which disables the ability to create corrupt database files using ordinary SQL.
For people who do have applications like WebSQL and Chrome, that are allowing anonymous passers-by to run arbitrary SQL statements, the defensive option adds additional defensive mechanisms in an attempt to avoid future zero day attacks like this.

Hipp admitted that the bug slipped by because the testing standard for FTS3 was inferior to the standard that the development team used for the core database engine. Historically, SQLite’s core engine is exposed to Google’s OSSFuzz tool for automated testing, but FTS3 has not been. The open source team will be exposing the library to Google’s tool in the future, he said.
Tencent’s researchers are following responsible disclosure rules by informing Google, which has fixed the Chromium vulnerability. However, they are still not releasing a proof of concept exploit. Instead, they are contacting other vendors privately with details of the vulnerability to have them update their products.
That hasn’t stopped others reportedly crashing Chrome with their own PoC code:

POC - Crash Chrome 70 with the SQLite Magellan bug https://t.co/tkpGejMFz4 It didn't worked on Linux tho.

— nixCraft 🐧 (@nixcraft) December 15, 2018

The Tencent Blade team has warned companies using Chromium in their products to update it to the official stable version 71.0.3578.80. SQLite users should update to 3.26.0, they added.