SQLite CVE-2015-6607 (Escalation of privilege issue )

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

SQLite CVE-2015-6607 (Escalation of privilege issue )

Saurav Sarkar
Dear SQLite Experts,

This is regarding SQlite vulnerability

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6607

It mentions the escalation of privilege attack in Android due to an
internal bug in SQlite

We use SQLite distributed with Android in our application and use the
normal Android APIs for SQLite Access .And use it for our CRUD operations.

I did not find any more details about this bug so would like to know in
this list if this is a problem.

Also we have a Universal Windows platform based application where we use
SQLite as external dependency and use for same CRUD operations.

Would like to know if the same vulnerability applies for Windows universal
platform as well.

Thanks and Best Regards,
Saurav
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: SQLite CVE-2015-6607 (Escalation of privilege issue )

Simon Slavin-3

On 17 Apr 2017, at 9:56am, Saurav Sarkar <[hidden email]> wrote:

> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6607
>
> It mentions the escalation of privilege attack in Android due to an
> internal bug in SQlite
>
> We use SQLite distributed with Android in our application and use the
> normal Android APIs for SQLite Access .And use it for our CRUD operations.
>
> I did not find any more details about this bug so would like to know in
> this list if this is a problem.

SQLite 3.8.9, which according to the announcement fixed the relevant bug, was released in April 2015, which is now two years ago.

As described in the report, if you’re still using a version of Android before 5.1.1 the bug will still effect the platform.

> Would like to know if the same vulnerability applies for Windows universal
> platform as well.

SQLite is not built into that platform.  If you wish to use SQLite on WUP yourself, just make sure you include a current version, not a two year old version.

Simon.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: SQLite CVE-2015-6607 (Escalation of privilege issue )

Saurav Sarkar
Thanks Simon for the reply.

Can you please also let me know how this bug can be exploited in an
application.

I am just using Android API (SQLiteOpenHelper) for SQLite to access
SQLiteDB CRUD operations.

We don't have authorization feature built into our client side. Even
authentication is done from the server side.
End Users don't have access to db directly. No SQL injection is possible
too.

Just wanted to check if this bug can be exploited in our application.

Best Regards,
Saurav

On Mon, Apr 17, 2017 at 2:46 PM, Simon Slavin <[hidden email]> wrote:

>
> On 17 Apr 2017, at 9:56am, Saurav Sarkar <[hidden email]> wrote:
>
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6607
> >
> > It mentions the escalation of privilege attack in Android due to an
> > internal bug in SQlite
> >
> > We use SQLite distributed with Android in our application and use the
> > normal Android APIs for SQLite Access .And use it for our CRUD
> operations.
> >
> > I did not find any more details about this bug so would like to know in
> > this list if this is a problem.
>
> SQLite 3.8.9, which according to the announcement fixed the relevant bug,
> was released in April 2015, which is now two years ago.
>
> As described in the report, if you’re still using a version of Android
> before 5.1.1 the bug will still effect the platform.
>
> > Would like to know if the same vulnerability applies for Windows
> universal
> > platform as well.
>
> SQLite is not built into that platform.  If you wish to use SQLite on WUP
> yourself, just make sure you include a current version, not a two year old
> version.
>
> Simon.
> _______________________________________________
> sqlite-users mailing list
> [hidden email]
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: SQLite CVE-2015-6607 (Escalation of privilege issue )

Richard Hipp-3
In reply to this post by Saurav Sarkar
On 4/17/17, Saurav Sarkar <[hidden email]> wrote:
> Dear SQLite Experts,
>
> This is regarding SQlite vulnerability
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6607

I don't know anything about this.  It is the first I've heard of it.
I could not figure out what it has to do with SQLite based on the link
above.  My assumption this is some kind of bug in the Android
interface to SQLite, not in SQLite itself.

--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: SQLite CVE-2015-6607 (Escalation of privilege issue )

Simon Slavin-3
In reply to this post by Saurav Sarkar

On 17 Apr 2017, at 10:35am, Saurav Sarkar <[hidden email]> wrote:

> Can you please also let me know how this bug can be exploited in an
> application.

The problem was apparently spotted as a theoretical vulnerability and no demonstration code was submitted.  It was never reported to the SQLite development team, so the team has no record of what was wrong, what it did, or how to exploit it.

From what I can see, it affected only versions of Android before Android 5.1.  It allowed an application with exploit code in, if given sufficient privilages, to modify certain system files.  I don’t know which files it could modify or what damage could be done that way.  If you can find discussion of the problem or demonstration code I think it would be welcome here.

Simon.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: SQLite CVE-2015-6607 (Escalation of privilege issue )

Michael Falconer
These may enlighten a little..........at least it appears to be related?

 http://www.cvedetails.com/cve/CVE-2015-6607/

IBM report <http://www-01.ibm.com/support/docview.wss?uid=swg21981270>




On 17 April 2017 at 22:09, Simon Slavin <[hidden email]> wrote:

>
> On 17 Apr 2017, at 10:35am, Saurav Sarkar <[hidden email]>
> wrote:
>
> > Can you please also let me know how this bug can be exploited in an
> > application.
>
> The problem was apparently spotted as a theoretical vulnerability and no
> demonstration code was submitted.  It was never reported to the SQLite
> development team, so the team has no record of what was wrong, what it did,
> or how to exploit it.
>
> From what I can see, it affected only versions of Android before Android
> 5.1.  It allowed an application with exploit code in, if given sufficient
> privilages, to modify certain system files.  I don’t know which files it
> could modify or what damage could be done that way.  If you can find
> discussion of the problem or demonstration code I think it would be welcome
> here.
>
> Simon.
> _______________________________________________
> sqlite-users mailing list
> [hidden email]
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>



--
Regards,
     Michael.j.Falconer.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: SQLite CVE-2015-6607 (Escalation of privilege issue )

Michael Falconer
Just amusing, and found while looking for above.....

Researchers have disclosed a vulnerability in *Android's* SQLite that can
> leak sensitive information without an application having adequate
> privileges.
>
​So when did DRH sell out to Android? :-)

From an old (2012) blog report ​HERE
<https://www.mocana.com/blog/2012/05/03/new-android-sqlite-vulnerability>

Getting a sense that it's more about Android than sqlite, just as DRH
suggested.


--
Regards,
     Michael.j.Falconer.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: SQLite CVE-2015-6607 (Escalation of privilege issue )

Richard Hipp-3
In reply to this post by Michael Falconer
On 4/17/17, Michael Falconer <[hidden email]> wrote:
> These may enlighten a little..........at least it appears to be related?
>
>  http://www.cvedetails.com/cve/CVE-2015-6607/
>
> IBM report <http://www-01.ibm.com/support/docview.wss?uid=swg21981270>

Huh.  That's not much of a vulnerability.

If an attacker can execute arbitrary SQL (notice that they must
already be well inside the system to do this) then they can run a
query like this:

     SELECT printf('%1000000000d', 0);

And that query does a malloc for a 1-billion-byte (plus 1) buffer in
which to write the result, which might cause problems elsewhere in the
system.  Or at least that is how I read the bug report.

We added the SQLITE_PRINTF_PRECISION_LIMIT compile-time option here
(http://sqlite.org/src/timeline?c=ecad75d69e0d5c83dd35) to deal with
that problem for the rare application that gives untrusted users the
ability to run unvetted SQL.
--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: SQLite CVE-2015-6607 (Escalation of privilege issue )

Simon Slavin-3
In reply to this post by Michael Falconer

On 17 Apr 2017, at 10:29pm, Michael Falconer <[hidden email]> wrote:

> From an old (2012) blog report ​HERE
> <https://www.mocana.com/blog/2012/05/03/new-android-sqlite-vulnerability>

Your recent links appear to be for other problems.  This one, for instance, is from 2012.

Simon.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: SQLite CVE-2015-6607 (Escalation of privilege issue )

Richard Hipp-3
On 4/17/17, Simon Slavin <[hidden email]> wrote:
>
> On 17 Apr 2017, at 10:29pm, Michael Falconer <[hidden email]>
> wrote:
>
>> From an old (2012) blog report ​HERE
>> <https://www.mocana.com/blog/2012/05/03/new-android-sqlite-vulnerability>
>
> Your recent links appear to be for other problems.  This one, for instance,
> is from 2012.

The 2012 report does not provide any details.  I have no idea what the
complaint is.

My guess is that it is another case of:  If you give untrusted users
unfettered SQL access, they can do harmful things.  My response to
this is "Duh!"

--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users