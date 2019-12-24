Loading...

A new set of SQLite vulnerabilities can allow attackers to remotely execute malicious code within Google Chrome, the world's most popular web browser.

The vulnerabilities, five, in total, are called "Magellan 2.0" and were revealed today by the Tencent Blade security team.

All applications that use an SQLite database are vulnerable to Magellan 2.0; however, the danger of "remote exploitation" is less than that of Chrome, where a feature called WebSQL API exposes Chrome users to remote attacks, by default.

What are the Magellan vulnerabilities?

The disclosure of Magellan 2.0 comes exactly one year and a week after the same Tencent Blade security team revealed the original Magellan SQLite vulnerabilities, last year, in December 2018.

Like the original Magellan vulnerabilities, these new variations are caused by an incorrect input validation in the SQL commands that the SQLite database receives from a third party.

An attacker can create an SQL operation that contains malicious code. When the SQLite database engine reads this SQLite operation, it can execute commands on behalf of the attacker.

In a security notice released today, the Tencent Blade team says that Magellan 2.0 defects can lead to "remote code execution, program memory loss or program crash."

How and what is vulnerable

All applications that use an SQLite database to store data are vulnerable, although the vector for "remote attacks over the Internet" is not exploitable by default. To be exploitable, the application must allow the direct entry of raw SQL commands, something that very few applications allow.

The danger of remote attacks is present for Google Chrome users, which also uses an internal SQLite database to store various browser settings and user data.

This is because Google Chrome includes WebSQL, an API that translates JavaScript code into SQL commands, which are then executed in the Chrome SQLite database. WebSQL is enabled by default in Chrome, but also in Opera.

A malicious website could use Magellan 2.0 vulnerabilities to execute malicious code against its Chrome visitors. However, the Tencent team says users have no reason to worry, as they have already notified these problems to Google and the SQLite team.

Tencent says that the five vulnerabilities of Magellan 2.0 were fixed in Google Chrome 79.0.3945.79, released two weeks ago.

The SQLite project also corrected the errors in a series of patches on December 13, 2019; however, these fixes have not been included in a stable branch of SQLite, which remains v3.30.1, released on December 10.

No need to worry: SQLite and Google have already confirmed and fixed it and we are also helping other providers overcome it. We have not found any evidence of wild abuse of Magellan 2.0 and will not reveal any details now. Do not hesitate to contact us if you have any technical questions! https://t.co/3hUro9URWf

– Tencent Blade Team (@tencent_blade) December 24, 2019

Tencent says he was not aware of any public attack code or attacks for Magellan 2.0 vulnerabilities. The Chinese company said it plans to release more details about the two errors in the coming months, and that today's disclosure only contains a summary of its findings to give application developers a warning and push them to update the version of SQLite they send. With your applications. .

However, some may not agree with the decision of the Chinese company. When Tencent Blade published details about Magellan's original vulnerabilities last year, the company was heavily criticized by D. Richard Hipp, the creator of SQLite.

At that time, Hipp said the Chinese company was exaggerating the impact of the original vulnerability, since the Magellan attack vector could not lead to remote code execution (RCE) for the vast majority of SQLite-dependent applications.

Reports of an RCE vulnerability in SQLite are very exaggerated. Some smart gray hats found a way to get CERs using SQL created for malicious purposes. Therefore, if you allow random Internet users to execute arbitrary SQL on your system, you must update. Otherwise, it is not at risk.

– D. Richard Hipp (@DRichardHipp) December 15, 2018

Hipp was right, and his 2018 observation is still valid for Magellan 2.0, in 2019. Most applications that use an SQLite database are not affected by the "remote" attacks of Magellan 2.0.

However, a remote code execution (RCE) scenario is possible in Chrome, mainly due to the existence of the WebSQL API.

The five vulnerabilities of Magellan 2.0 are tracked as CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752 and CVE-2019-13753. The original Magellan vulnerabilities are tracked as CVE-2018-20346, CVE-2018-20505 and CVE-2018-20506.