Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Exploring and Exploiting the SQLite

Hack In The Box Security Conference via YouTube

Overview

Save Big on Coursera Plus. 7,000+ courses at $160 off. Limited Time Only!
Explore the intricacies of SQLite vulnerabilities and exploitation techniques in this comprehensive conference talk from the Hack In The Box Security Conference. Delve into the discovery of the Magellan vulnerabilities and their impact on Google Home and Chrome. Learn about new protective measures implemented in SQLite and WebSQL. Examine seven newly discovered vulnerabilities and three bugs that can be chained together to bypass Defense-In-Depth and cause Remote Code Execution in Chrome through WebSQL. Gain insights into manual auditing techniques and the development of an effective fuzzer, sqlite3_shadow_table_fuzzer, now running on Google's ClusterFuzz. Understand the weaknesses in existing fuzzers and strategies for optimizing vulnerability discovery. Follow along as the speaker demonstrates auditing strategies for blobs, memory operations, and special commands. Discover the power of shadow tables and structure-aware fuzzing in identifying security flaws. Learn how to bypass Defense-In-Depth measures and create fake objects to stabilize the heap for successful exploitation. Conclude with valuable insights on improving security research efficiency and effectiveness in SQLite and related technologies.

Syllabus

Intro
Tencent Blade Team
Agenda
The Magellan 2.0
Vulnerabilities or Bugs Found by the Fuzzer
Auditing Strategies: Blobs
Auditing Strategies: The memory operations
Auditing Strategies: Special Commands
Shadow Tables
Structure-Aware Fuzzing
How the Fuzzer is Implemented
Differences from Google's (1)
Raw Data
Generated Testcase
Preparations
Initial Queries of the Fuzzer
The Structure opdata_16
Example of Translating Opcode to Query
Table Selector and Column Selector
SQL Operation Selector
Get Data from Data Provider
Run Generated SQL Queries
Bypass the Defense-In-Depth
It's a Little Bit' Tough
Let's Make Some Fake Objects
Stabilize the Heap and the RCE
Get Uninitialized Heap Data
Overwrite the sqlite3Config
Set the Memory Page to RWX
Restore the Stack
Conclusion

Taught by

Hack In The Box Security Conference

Reviews

Start your review of Exploring and Exploiting the SQLite

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.