Talos security researchers discovered a Use After Free vulnerability in SQLite, allows attackers to send malicious SQL commands to trigger the vulnerability.
The free vulnerability exists in the window function functionality of Sqlite3; the flaw can be tracked as CVE-2019-5018; it affects SQLite 3.26.0, 3.27.0 and receives 8.1 – CVSS:3.0 score.
SQLite is a favorite library used in implementing SQL database engine; it is used extensively in a number of devices including mobile devices, browsers, hardware devices, and user applications.
“SQLite implements the Window Functions feature of SQL which allows queries over a subset, or “window,” of rows. After parsing a SELECT statement that contains a window function, the SELECT statement is transformed using the sqlite3WindowRewrite function.”
The master objected retriwed from the SELECt objects and rewrites for easier processing. Researchers discovered that during deletion of expression, “if the expression is marked as a Window Function, the associated Window object is deleted as well.”
While deletion of windows, it’s associated partition of the window also get deleted, “After this partition is deleted, it is then reused in exprListAppendList , causing a use after free vulnerability, resulting in a denial of service,” reads vulnerability report.
“If an attacker can control this memory after the free, there is an opportunity to corrupt more data, potentially leading to code execution.”
Vulnerability Disclosure Timeline
2019-02-05 – Vendor Disclosure
2019-03-07 – 30 day follow up with vendor; awaiting moderator approval
2019-03-28 – Vendor patched
2019-05-09 – Public Release