PT-2012-22: Format String Vulnerability in SQLite

MEDIUM
(5.5) (AV:L/AC:M/Au:S/C:C/I:P/A:P)

What are the security threats on your network?

Check your traffic-for free
Request pilot

(PT-2012-22) Positive Technologies Security Advisory
Format String Vulnerability in SQLite

Vulnerable software

SQLite
Version: 3.7.13 and earlier
Operation system: OS/2 (eComStation)

Application link:
http://sqlite.org/

Severity level

Severity level: Medium
Impact: Denial of Service
Access Vector: Local  

CVSS v2:
Base Score: 5.5
Vector: (AV:L/AC:M/Au:S/C:C/I:P/A:P)

CVE: not assign

Software description

SQLite is a lightweight embedded relational database.

Vulnerability description

The specialists of the Positive Research center have detected format string vulnerability in SQLite.

While opening a file via SQLite on the OS/2 operating system (eComStation), the path, to be converted from a relative one to an absolute one, is handled by the os2FullPathname function. As part of the function’s execution process, the path gets into the sqlite3_snprintf function as a format string, and not as an argument for a format string. This allows attackers to use escape sequences in the format string.

The vulnerability is in the file /sqlite3.c.
Vulnerable code fragment:

static int os2FullPathname(
...
const char *zRelative,      /* Possibly relative input path */
...
char *zFull                 /* Output buffer */
){
char *zRelativeCp = convertUtf8PathToCp( zRelative );
...
APIRET rc = DosQueryPathInfo( (PSZ)zRelativeCp, FIL_QUERYFULLNAME,
zFullCp, CCHMAXPATH );
free( zRelativeCp );
zFullUTF = convertCpPathToUtf8( zFullCp );
sqlite3_snprintf( nFull, zFull, zFullUTF );
...

Exploitation Exapmle
Opening the database named "%s%s%s%s%s%s%s" will trigger SQLite failure.

How to fix

From June 21, 2012 the vendor does not support SQLite for OS/2. Version 3.7.13 and earlier are vulnerable.

Advisory status

10.07.2012 - Vendor is notified
06.09.2012 - Public disclosure

Credits

The vulnerabilities has discovered by Sergey Bobrov, Positive Research Center (Positive Technologies Company)

References

http://en.securitylab.ru/lab/PT-2012-22

Reports on the vulnerabilities previously discovered by Positive Research:

http://ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/

About Positive Technologies

Positive Technologies www.ptsecurity.com is among the key players in the IT security market in Russia.

The principal activities of the company include the development of integrated tools for information security monitoring (MaxPatrol); providing IT security consulting services and technical support; development of the Securitylab leading Russian information security portal.

Among the clients of Positive Technologies, there are more than 40 state enterprises, more than 50 banks and financial organizations, 20 telecommunication companies, more than 40 plant facilities, as well as IT, service and retail companies from Russia, the CIS countries, the Baltic States, China, Ecuador, Germany, Great Britain, Holland, Iran, Israel, Japan, Mexico, the Republic of South Africa, Thailand, Turkey, and the USA.

Positive Technologies is a team of highly skilled developers, advisers and experts with years of vast hands-on experience. The company specialists possess professional titles and certificates; they are the members of various international societies and are actively involved in the IT security field development.

Get in touch

Fill in the form and our specialists
will contact you shortly