Magellan - SQLite远程代码执行漏洞公告

Magellan is a number of vulnerabilities that exist in SQLite. These vulnerabilities were discovered by Tencent Blade Team and verified to be able to successfully implement remote code execution in Chromium browsers. As a well-known database, SQLite is widely used in all modern mainstream operating systems and software, so this vulnerability has a wide range of influence. SQLite and Google had confirmed and fixed this vulnerability. We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible.



Q & A


(1) Am I affected by the vulnerability?

If your application uses the FTS3 extension in SQLite below 3.25.3 and allows an attacker to run arbitrary SQL statements (either deliberately or by accident) then you could be vulnerable to the Magellan attack.


(2) What is the impact of this vulnerability?

Remote code execution, leaking program memory or causing program crashes.


(3) Does this vulnerability have been succesfully exploited?

Yes, we successfully exploited Google Home (RCE) with this vulnerability.


(4) What is the CVE ID of this vulnerability?

CVE-2018-20346, CVE-2018-20505, CVE-2018-20506.


(5) Has “Magellan” been abused in the wild?

We have not found this vulnerability to have a public full exploit code.


(6) Is there a workaround/fix?

We have reported all the details of the vulnerability to Google and they have fixed the vulnerability ( commit ). If your product uses Chromium, please update to the official stable version 71.0.3578.80( Release updates). If your product uses SQLite, please update to 3.26.0 ( Release updates).


(7) Are there plans to disclose details of the vulnerability?

Not yet. We follow the responsible vulnerability disclosure process and will not disclose the details of the vulnerability in advance 90 days after the vulnerability report.


(8) The specific scope of the vulnerability?

Magellan means a group of vulnerabilities we have reported recently.They will affect old versions of :

- Chrome/Chromium.

- Smart devices using Chrome/Chromium.

- Browsers developed based on Chromium (like Opera …).

- Browsers developed based on Webview.

- Android Apps that uses Webview and can access any website.

- Software that uses the Chromium and can access any website.

- Sqlite shell (with FTS3 enabled, as described by medias).

- Programs, scripts, or Apps that use a Sqlite component with FTS3 enabled and accept external input for Sql statements.

- Programs, scripts, or Apps that open FTS3 and accept import from external sql backup


In those conditions program will not be affected:

- No external SQL request is accepted.

- FTS3 is disabled.



Timeline


- 1st Nov 2018 Reported vulnerabilities to Google.

- 1st Nov 2018 Vulnerabilities confirmed by Google.

- 3rd Nov 2018 Vulnerabilities reported to SQLite.

- 5th Nov 2018 SQLite released 3.25.3 to fix vulnerabilities.

- 28th Nov 2018 Google fixed vulnerabilities.

- 1st Dec 2018 SQLite released 3.26.0, introducing defense in depth.

- 3rd Dec 2018 Google released the official Chrome version 71.0.3578.80.

- 20th Dec 2018 Google decided to reward, the bonus is $10337.

- 21th Dec 2018 CVE ID has been assigned as CVE-2018-20346, CVE-2018-20505, CVE-2018-20506.