Exploring and Exploiting the SQLite

Explore the intricacies of SQLite vulnerabilities and exploitation techniques in this comprehensive conference talk from the Hack In The Box Security Conference. Delve into the discovery of the Magellan vulnerabilities and their impact on Google Home and Chrome. Learn about new protective measures implemented in SQLite and WebSQL. Examine seven newly discovered vulnerabilities and three bugs that can be chained together to bypass Defense-In-Depth and cause Remote Code Execution in Chrome through WebSQL. Gain insights into manual auditing techniques and the development of an effective fuzzer, sqlite3_shadow_table_fuzzer, now running on Google's ClusterFuzz. Understand the weaknesses in existing fuzzers and strategies for optimizing vulnerability discovery. Follow along as the speaker demonstrates auditing strategies for blobs, memory operations, and special commands. Discover the power of shadow tables and structure-aware fuzzing in identifying security flaws. Learn how to bypass Defense-In-Depth measures and create fake objects to stabilize the heap for successful exploitation. Conclude with valuable insights on improving security research efficiency and effectiveness in SQLite and related technologies.