SQLite databases can be modified in such a way that they execute malicious code inside other apps that rely on them to store data, security researchers have revealed.
In demos presented at the DEF CON security conference in Las Vegas today, Check Point security researcher Omer Gull showed demos of a tainted SQLite database hijacking the command and control server of a malware operation, and malware using SQLite to achieve persistence on iOS devices.
Clever SQLite attack lets hackers get iOS persistence
The idea is that vulnerabilities in how third-party apps read data from SQLite databases allows a third-party to hide malicious code in the SQLite database’s data.
When the third-party app, such as iMessage, reads the tainted SQLite database, it also inadvertantly executes the hidden code.
In the iMessage demo he presented at DEF CON, Gull showed how malware or a threat actor that manages to replace or edit the “AddressBook.sqlitedb” file can insert malicious code inside an iPhone’s addressbook.
When iMessage queries this SQLite file, which iMessage does at regular intervals, the malicious code runs, and allows the malware to gain boot persistence on the device.
While this scenario seems implausible, this isn’t as hard as it seems. Gull said Apple doesn’t sign SQLite data files, so replacing this file is trivial. Therefore, a threat actor has a simple way they can use to use to gain boot persistence on iPhones and macOS devices.
For its part, Apple issued fixes (CVE-2019-8600, CVE-2019-8598, CVE-2019-8602, CVE-2019-8577) for the SQLite attack vector in May, with macOS Mojave 10.14.5, iOS 12.3, tvOS 12.3, and watchOS 5.2.1. Users who delayed updating their devices are still vulnerable to this attack.
SQLite flaws can be used to hijack malware operations
But there are other scenarios where these vulnerabilities can be used for “good.” Those cases are against malware.
For example, browsers store user data and passwords inside SQLite databases. Info-stealers — a class of malware — is specifically designed for stealing these SQLite user data files and uploading the files to a remote command-and-control (C&C) server.
These C&C servers are usually coded in PHP and work by parsing the SQLite files to extract the user’s browser data so they can show it inside the malware’s web-based control panel.
Gull said that like in the case of the iMessage attack, the SQLite vulnerabilities can be used to execute code on the malware’s C&C servers and take over crooks’ systems.
“Given the fact that SQLite is practically built-in to almost any platform, we think that we’ve barely scratched the tip of the iceberg when it comes to its exploitation potential,” Gull said.
Apps that rely on SQLite include the likes of Skype, any web browser, any Android device, any iTunes instance, Dropbox sync clients, car multimedia systems, television sets and set-top cable boxes, and a bunch of other apps.
“We hope that the security community will take this innovative research and the tools released and push it even further.”
More vulnerability reports: