Magellan 2.0 - SQLite远程代码执行漏洞公告

Magellan 2.0 is some vulnerabilities that exist in SQLite (Former was: ( Magellan 1.0 ). These vulnerabilities were found by Tencent Blade Team and verified to be able to exploit remote code execution in Chromium render process. As a well-known database, SQLite is widely used in all modern mainstream operating systems and softwares, so this vulnerability has a wide range of influence. SQLite and Google had confirmed and fixed these vulnerabilities. We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible.



Q & A


(1) Am I affected by the vulnerability?

If you are using a software that is using SQLite as component (without the latest patch, which is 13 Dec 2019), and it supports external SQL queries. Or, you are using Chrome that is prior to 79.0.3945.79 with WebSQL enabled, you may be affected. Other devices such as PC/Mobile devices/IoT devices may also be affected, depends on if there’s a proper attack surface.


(2) What is the impact of this vulnerability?

Remote code execution, leaking program memory or causing program crashes.


(3) Does this vulnerability have been succesfully exploited?

Yes, we successfully exploited Chrome with this vulnerability.


(4) What is the CVE ID of this vulnerability?

CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752, CVE-2019-13753.


(5) Has “Magellan” been abused in the wild?

We have not found this vulnerability to have a public full exploit code.


(6) Is there a workaround/fix?

We have reported all the details of the vulnerability to Google and they have fixed vulnerabilities. If your product uses Chromium, please update to the official stable version 79.0.3945.79( (Stable Channel Update for Desktop). If your product uses SQLite, please update to the newest code commit.


(7) Are there plans to disclose details of the vulnerability?

Not yet. We follow the responsible vulnerability disclosure process and will not disclose the details of the vulnerability in advance 90 days after the vulnerability report.


(8) The specific scope of the vulnerability?

Magellan means a group of vulnerabilities we have reported recently.If you are using a software that is using SQLite as component (without the latest patch, which is 13 Dec 2019), and it supports external SQL queries. Or, you are using Chrome that is prior to 79.0.3945.79 and it enabled WebSQL, you may be affected.

Browsers with WebSQL enabled that meet one of the following conditions may be affected by Magellan :

- Chrome/Chromium prior to version 79.0.3945.79 (Hereinafter referred to as “old version”).

- Smart devices using old version of Chrome/Chromium.

- Browsers built with old version of Chromium/Webview.

- Android Apps that uses old version of Webview and can access any web page.

- Software that uses the old version of Chromium and can access any web page.


In those conditions program will not be affected:

- Up-to-date Chrome or SQLite with the newest commit patched.

- Your database does not accept external SQL queries.

- Your browser has disabled WebSQL.


ß

Timeline


- 16 Nov 2019 Reported to Google and SQLite.

- 16 Nov 2019 Vulnerabilities confirmed by Google.

- 27 Nov 2019 Google and SQLite fixed vulnerabilities.

- 27 Nov 2019 Tencent Blade Team provided a fuzzer to Google.

- 11 Dec 2019 Google released the official Chrome version 79.0.3945.79.

- 11 Dec 2019 CVE ID has been assigned as CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752, CVE-2019-13753.