Compromise of SQLite databases allow running malicious code in iOS

At the DEFCON conference in Las Vegas, Check Point analysts demonstrated that a specially tuned SQLite database could be used to run code inside other applications that rely on it for data storage, which ultimately allows, for example, a stable presence on an iOS device.

The root of this problem is how third-party applications read data from SQLite databases. In fact, an attacker can hide malicious code in the database, and as a result, an application (for example, the already mentioned iMessage) that reads the malicious database will also execute the code hidden in it.

At the conference, the researchers showed that an attacker who succeeds in replacing or editing the AddressBook.sqlitedb file would be able to embed malicious code in the iPhone address book.

The fact is that iMessage requests SQLite file regularly, and at the same time, malicious code is launched, which allows the malware to load on the device. Even worse, Check Point analysts explain that Apple does not sign SQLite files, so it is not difficult to make a substitution, and an attacker can easily ensure a constant load and a stable presence in the system.

Read also: Vulnerabilities in Electron allow to backdoor Skype, WhatsApp, Slack

Interestingly, according to the researchers, SQLite problems can be used for protection as well. For example, browsers store user’s data and passwords in SQLite databases, and malware often aims to steal this information and transfer the stolen data to a remote server.

Such servers, as a rule, are written in PHP and analyze the received SQLite files, extracting user’s data from them so that they can be conveniently displayed directly in the control panel. However, Check Point analysts are convinced that SQLite can be exploited to execute code on such management servers and take control over attackers’ systems.

“Given the fact that SQLite is built into almost any platform, we believe that we have barely scratched the tip of the iceberg when it comes to operating potential”, – experts say, bearing in mind that SQLite is present in Skype, almost any browser, on Android devices, in iTunes, Dropbox clients, car multimedia systems, televisions, cable consoles and many other products.

Apple engineers have already released fixes (CVE-2019-8600, CVE-2019-8598, CVE-2019-8602, CVE-2019-8577) designed to protect users from this attack vector. Updates received macOS Mojave 10.14.5, iOS 12.3, tvOS 12.3 and watchOS 5.2.1.

Technical details of the research conducted by experts can be found on the company’s blog, and the tools used by experts have already been published on GitHub.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button