A few days ago the security researchers from the Chinese company Tencent presented a new version of a series of vulnerabilities (CVE-2019-13734) which they named as Magellan 2.0, which is revealed after a year and a week of the disclosure of the Magellan vulnerability series in 2018.
Magellan 2.0 allows to achieve code execution when processing DBMS SQLite of a certain form of SQL statements. The vulnerability is notable because it allows you to attack remotely Chrome browser and gain control over the user's system when opening web pages controlled by an attacker. In addition to successfully executing the SQLite operation, the attacker can lose program memory and eventually end up causing program crashes.
El ataque to Chrome / Chromium is carried out through the WebSQL API, whose driver is based on SQLite code. An attack on other applications is only possible if they allow the transfer of SQL constructs from outside to SQLite, for example, they use SQLite as a format to exchange data. Firefox is not affected, as Mozilla refused to implement WebSQL in favor of the IndexedDB API.
"These vulnerabilities were found by Tencent Blade Team and verified to be able to exploit remote code execution in the Chromium rendering process", revealed Tencent in an ad.
As a well-known database, SQLite is widely used in all modern operating systems and software, so this vulnerability has a wide range of influence. SQLite and Google have confirmed and fixed these vulnerabilities. We will not disclose any details of the vulnerability at this time, and we are pressuring other vendors to fix this vulnerability as soon as possible. "
Magellan can affect browsers with WebSQL enabled that meet one of the following conditions:
Chrome / Chromium prior to version 79.0.3945.79 (hereinafter "previous version").
- Smart devices using the older version of Chrome / Chromium.
- Browsers built with older versions of Chromium / Webview.
- Android applications that use the older version of Webview and can access any web page.
- Software that uses the older version of Chromium and can access any web page.
In addition, SQLite also identified 4 less dangerous problems (CVE-2019-13750, CVE-2019-13751, CVE-2019-13752, CVE-2019-13753), that can lead to information leaks and circumvent restrictions (can be used as related factors to attack Chrome).
However, Tencent team says users have no reason to worry, as they have already reported these issues to Google and the SQLite team.
As of SQLite 3.26.0, SQLITE_DBCONFIG_DEFENSIVE mode can be used as a solution alternative for protection, which prohibits writing on shadow tables and its inclusion is recommended when processing external SQL queries in SQLite.
The company chinese security will release more details about the vulnerabilities in Magellan 2.0 in the coming months. From now on, developers must update their applications.
Google fixed the issue in Chrome release 79.0.3945.79. In the SQLite codebase, the issue was fixed on November 17th and in the Chromium codebase on November 21st.
While for SQlite the problem is present in the text search engine code full FTS3 and through manipulation of shadow tables (shadow tables, a special type of writable virtual tables), you can cause index corruption and buffer overflows. Detailed information on the operation technique will be published in 90 days.
A new version of SQLite with the fix has not yet been generated, which is scheduled to be released on December 31).
In distributions, the vulnerability in the SQLite library remains unpatched on Debian, Ubuntu, RHEL, openSUSE / SUSE, Arch Linux, Fedora.
Chromium on all distributions has already been updated and is not vulnerable, but the problem can cover various third-party browsers and applications that use the Chromium engine, as well as Webview-based Android applications.
Source: https://blade.tencent.com