6

I've been wondering about SQLite, how it decides to execute your SQL and then generates byte code to do it.

Hypothetically if you were sufficiently familiar with the quarks of SQLite at a low enough level, one could craft web requests on sites running it, such that the results of each subsequent request, leave the SQLite engine in a particular state, no?

Suppose previous states, when interleaved with subsequent carefully crafted states, lead to execution and injection vulnerabilities.

Arent ideas like this what lead to the randomization of jump addresses in modern architectures?

Comments
  • 5
    Short answer because I’m not well enough to get into details, but yes, sort of. That’s the gist.

    A little less short answer: that’s not quite how it works, but you’re thinking along the correct lines.
  • 3
    Yes and (likely) no.

    Arbitrary SQLite queries were indeed memory unsafe in the past. But websites must be protected from those anyway, as it would lead to a loss of security anyway.
    Your example does not have those.

    Excluding vulnerabilities in the query language, a regular (especially read only) query _should_ not change the engine state leading to remote code execution.
    It is a theoretic attack vector, but I doubt it is more than that: For code execution you usually have to modify the the return address or modify executable memory - and a regular call to a non attacker controlled query should not do any of this.
    I'm not saying this is impossible, but it is nothing I'd worry about (neither as an attack nor website owner).
  • 1
    @Wisecrack I love your thought-inducing posts!
  • 1
    @PonySlaystation and I love your thought inducing name!
  • 0
    Heh I never knew this
  • 1
    But probably not
    You’d be trying something like a sql injection attack and feeding byte code to its compiler
  • 0
    Eg the web service would be calling the SQLite library not feeding the lib bytecode
  • 0
    @killames I'm thinking more along the lines how particular requests may leave partial states behind.

    And by chaining multiple requests like this, these otherwise harmless bugs in engine state may be combine into an attack vector proper.
Add Comment