SQLite is widely used as embedded database software for local/client storage in application software, such as web browsers and mobile applications. As a relational database, SQLite is vulnerable to SQL injection attack, which has been well-studied for a long time. Memory corruption bugs in SQLite are usually not considered security issues, since they are normally unlikely to be exploitable. In this talk, we will study several remotely exploitable memory corruption cases to show the dangerous attack surface in SQLite.
The journey of SQLite exploitation starts with Web SQL. Web SQL Database is a web page API for storing data in databases that can be queried using SQL language. Although W3C working group has ceased working on the specification since 2010, many modern browsers including Google Chrome, Apple Safari and Opera have an implementation based on SQLite as the backend for years. We will go through several previous issues of SQLite and discuss how they affect the browsers and how they have been fixed. Also, we will present new vulnerabilities in SQLite that we used to compromise Apple Safari in Pwn2Own 2017. The new bugs exist in all browsers that support Web SQL Database, including browser components Android WebView and iOS UIWebView widely used in mobile applications. We will demonstrate our exploit against multiple browser targets from multiple platforms to show the impact of a single SQLite vulnerability.
Many programming languages have a support of SQLite API bindings such as PHP, Lua and Java. Memory corruption bugs of SQLite may also affect security features of these programming languages. We will show SQLite exploitation in PHP SQLite extension to bypass PHP security restrictions, as an example.