(PT-2012-22) Positive Technologies Security Advisory
Format String Vulnerability in SQLite
Vulnerable software
SQLite
Version: 3.7.13 and earlier
Operation system: OS/2 (eComStation)
Application link:
http://sqlite.org/
Severity level
Severity level: Medium
Impact: Denial of Service
Access Vector: Local
CVSS v2:
Base Score: 5.5
Vector: (AV:L/AC:M/Au:S/C:C/I:P/A:P)
CVE: not assign
Software description
SQLite is a lightweight embedded relational database.
Vulnerability description
The specialists of the Positive Research center have detected format string vulnerability in SQLite.
While opening a file via SQLite on the OS/2 operating system (eComStation), the path, to be converted from a relative one to an absolute one, is handled by the os2FullPathname function. As part of the function’s execution process, the path gets into the sqlite3_snprintf function as a format string, and not as an argument for a format string. This allows attackers to use escape sequences in the format string.
The vulnerability is in the file /sqlite3.c.
Vulnerable code fragment:
static int os2FullPathname(
...
const char *zRelative, /* Possibly relative input path */
...
char *zFull /* Output buffer */
){
char *zRelativeCp = convertUtf8PathToCp( zRelative );
...
APIRET rc = DosQueryPathInfo( (PSZ)zRelativeCp, FIL_QUERYFULLNAME,
zFullCp, CCHMAXPATH );
free( zRelativeCp );
zFullUTF = convertCpPathToUtf8( zFullCp );
sqlite3_snprintf( nFull, zFull, zFullUTF );
...
Exploitation Exapmle
Opening the database named "%s%s%s%s%s%s%s" will trigger SQLite failure.
How to fix
From June 21, 2012 the vendor does not support SQLite for OS/2. Version 3.7.13 and earlier are vulnerable.
Advisory status
10.07.2012 - Vendor is notified
06.09.2012 - Public disclosure
Credits
The vulnerabilities has discovered by Sergey Bobrov, Positive Research Center (Positive Technologies Company)
References
http://en.securitylab.ru/lab/PT-2012-22
Reports on the vulnerabilities previously discovered by Positive Research:
http://ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/
About Positive Technologies
Positive Technologies www.ptsecurity.com is among the key players in the IT security market in Russia.
The principal activities of the company include the development of integrated tools for information security monitoring (MaxPatrol); providing IT security consulting services and technical support; development of the Securitylab leading Russian information security portal.
Among the clients of Positive Technologies, there are more than 40 state enterprises, more than 50 banks and financial organizations, 20 telecommunication companies, more than 40 plant facilities, as well as IT, service and retail companies from Russia, the CIS countries, the Baltic States, China, Ecuador, Germany, Great Britain, Holland, Iran, Israel, Japan, Mexico, the Republic of South Africa, Thailand, Turkey, and the USA.
Positive Technologies is a team of highly skilled developers, advisers and experts with years of vast hands-on experience. The company specialists possess professional titles and certificates; they are the members of various international societies and are actively involved in the IT security field development.
Get in touch
will contact you shortly