Explore the world of SQLite exploitation in this 47-minute conference talk from the 36th Chaos Communication Congress. Delve into innovative techniques like Query Hijacking and Query Oriented Programming to achieve code execution using malicious SQLite databases. Learn how to exploit memory corruption vulnerabilities within the SQLite engine using only SQL language, without relying on external environments. Discover real-world attack scenarios, including compromising password stealer backend servers and achieving iOS persistence with elevated privileges. Gain insights into SQLite internals, novel ROP chain techniques using SQL CREATE statements, and the use of JOIN statements for Heap Spray. Understand the potential security implications of SQLite's widespread deployment and the importance of treating database queries with caution. Follow along as the speakers demonstrate their findings, discuss SQLite internals, and explore the foundations for leveraging memory corruption issues in database engines.
Overview
Syllabus
Intro
Agenda
Motivation
Prologue
Examining the Attack Surface
Data Definition Language
Back to Query Preparation
DDL Patching
CREATE VIEW
Query Hijacking Example
SQL Injection
Memory Corruptions and SQLite
WebSQL - Attacks
Full Text Search
Virtual Tables
Shadow Tables
RTREE Bug
My Exploitation Primitives Wish-list
QOP by Example: The Unfixed CVE-2015-7036
RECAP
Exploitation Game Plan
Memory Leak
Unpacking of 64-bit pointers
Pointer Arithmetics
Crafting Complex Objects in Memory
Fake Object Example
Heap Spray
My Exploitation Primitives Wish- list
QOP Chaining
Next Target: iOS Persistency
Malicious Contacts DB
Secure Boot Bypassed CVE-2019-8577
Takeaways
Taught by
media.ccc.de
