At the DEFCON conference in Las Vegas, Check Point analysts demonstrated that a specially tuned SQLite database could be used to run code inside other applications that rely on it for data storage, which ultimately allows, for example, a stable presence on an iOS device.
The root of this problem is how third-party applications read data from SQLite databases. In fact, an attacker can hide malicious code in the database, and as a result, an application (for example, the already mentioned iMessage) that reads the malicious database will also execute the code hidden in it.At the conference, the researchers showed that an attacker who succeeds in replacing or editing the AddressBook.sqlitedb file would be able to embed malicious code in the iPhone address book.
The fact is that iMessage requests SQLite file regularly, and at the same time, malicious code is launched, which allows the malware to load on the device. Even worse, Check Point analysts explain that Apple does not sign SQLite files, so it is not difficult to make a substitution, and an attacker can easily ensure a constant load and a stable presence in the system.
Read also: Vulnerabilities in Electron allow to backdoor Skype, WhatsApp, Slack
Interestingly, according to the researchers, SQLite problems can be used for protection as well. For example, browsers store user’s data and passwords in SQLite databases, and malware often aims to steal this information and transfer the stolen data to a remote server.
Such servers, as a rule, are written in PHP and analyze the received SQLite files, extracting user’s data from them so that they can be conveniently displayed directly in the control panel. However, Check Point analysts are convinced that SQLite can be exploited to execute code on such management servers and take control over attackers’ systems.
“Given the fact that SQLite is built into almost any platform, we believe that we have barely scratched the tip of the iceberg when it comes to operating potential”, – experts say, bearing in mind that SQLite is present in Skype, almost any browser, on Android devices, in iTunes, Dropbox clients, car multimedia systems, televisions, cable consoles and many other products.
Apple engineers have already released fixes (CVE-2019-8600, CVE-2019-8598, CVE-2019-8602, CVE-2019-8577) designed to protect users from this attack vector. Updates received macOS Mojave 10.14.5, iOS 12.3, tvOS 12.3 and watchOS 5.2.1.