A new set of SQLite vulnerabilities can allow attackers to remotely run malicious code inside Google Chrome, the world’s most popular web browser.
The vulnerabilities, five, in total, are named “Magellan 2.0,” and were disclosed today by the Tencent Blade security team.
All apps that use an SQLite database are vulnerable to Magellan 2.0; however, the danger of “remote exploitation” is smaller than the one in Chrome, where a feature called the WebSQL API exposes Chrome users to remote attacks, by default.
What are the Magellan vulnerabilities?
The Magellan 2.0 disclosure comes exactly one year and one week after the same Tencent Blade security team disclosed the original Magellan SQLite vulnerabilities, last year, in December 2018.
Just like the original Magellan vulnerabilities, these new variations are caused by improper input validation in SQL commands the SQLite database receives from a third-party.
An attacker can craft an SQL operation that contains malicious code. When the SQLite database engine reads this SQLite operation, it can perform commands on behalf of the attacker.
In a security advisory published today, the Tencent Blade team says the Magellan 2.0 flaws can lead to “remote code execution, leaking program memory or causing program crashes.”
How and what’s vulnerable
All apps that use an SQLite database to store data are vulnerable, although, the vector for “remote attacks over the internet” is not exploitable by default. To be exploitable, the app must allow direct input of raw SQL commands, something that very few apps allow.
The danger of remote attacks is present for users of Google Chrome, which also uses an internal SQLite database to store various browser settings and user data.
This is because Google Chrome ships with WebSQL, an API that translates JavaScript code into SQL commands, which are then executed against Chrome’s SQLite database. WebSQL is enabled by default in Chrome, but also in Opera.
A malicious website could use the Magellan 2.0 vulnerabilities to run malicious code against its Chrome visitors. However, the Tencent team says users have no reason to worry, as they’ve notified Google and the SQLite team of these issues already.
Tencent says the five Magellan 2.0 vulnerabilities were fixed in Google Chrome 79.0.3945.79, released two weeks ago.
The SQLite project also fixed the bugs in a series of patches on December 13, 2019; however, these fixes have not been included in a stable SQLite branch — which remains v3.30.1, released on December 10.
No need to worry: SQLite and Google have already confirmed and fixed it and we are helping other vendors through it too. We haven’t found any proof of wild abuse of Magellan 2.0 and will not disclose any details now. Feel free to contact us if you had any technical questions! https://t.co/3hUro9URWf
— Tencent Blade Team (@tencent_blade) December 24, 2019
Tencent says it was not aware of any public exploit code or attacks for the Magellan 2.0 vulnerabilities. The Chinese company said it plans to release more details about the two bugs in the coming months, and that today’s disclosure only contains a summary of their findings to give app developers a heads-up and nudge towards updating the SQLite version they ship with their apps.
However, some might not agree with the Chinese company’s decision. When Tencent Blade published details about the original Magellan vulnerabilities last year, the company came under heavy criticism from D. Richard Hipp, SQLite’s creator.
At the time, Hipp said the Chinese company was overhyping the impact of the original vulnerability, as the Magellan attack vector could not lead to a remote code execution (RCE) for the vast majority of the apps relying on SQLite.
Reports of an RCE vulnerability in SQLite are greatly exaggerated. Some clever gray-hats found a way to get RCE using maliciously crafted SQL. So, IF you allow random internet users to run arbitrary SQL on your system, you should upgrade. Otherwise, you are not at risk.
— D. Richard Hipp (@DRichardHipp) December 15, 2018
Hipp was right, and his 2018 observation remains valid for Magellan 2.0, in 2019. Most apps that use an SQLite database aren’t impacted by “remote” Magellan 2.0 attacks.
Nonetheless, a remote code execution (RCE) scenario is possible in Chrome, primarily due to the existence of the WebSQL API.
The five Magellan 2.0 vulnerabilities are tracked as CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752, and CVE-2019-13753. The original Magellan vulnerabilities are tracked as CVE-2018-20346, CVE-2018-20505, and CVE-2018-20506.
