Magellan is a number of vulnerabilities that exist in SQLite. These vulnerabilities were discovered by Tencent Blade Team and verified to be able to successfully implement remote code execution in Chromium browsers. As a well-known database, SQLite is widely used in all modern mainstream operating systems and software, so this vulnerability has a wide range of influence. SQLite and Google had confirmed and fixed this vulnerability. We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible.
If your application uses the FTS3 extension in SQLite below 3.25.3 and allows an attacker to run arbitrary SQL statements (either deliberately or by accident) then you could be vulnerable to the Magellan attack.
Remote code execution, leaking program memory or causing program crashes.
Yes, we successfully exploited Google Home (RCE) with this vulnerability.
CVE-2018-20346, CVE-2018-20505, CVE-2018-20506.
We have not found this vulnerability to have a public full exploit code.
We have reported all the details of the vulnerability to Google and they have fixed the vulnerability ( commit ). If your product uses Chromium, please update to the official stable version 71.0.3578.80( Release updates). If your product uses SQLite, please update to 3.26.0 ( Release updates).
Not yet. We follow the responsible vulnerability disclosure process and will not disclose the details of the vulnerability in advance 90 days after the vulnerability report.
Magellan means a group of vulnerabilities we have reported recently.They will affect old versions of :
- Smart devices using Chrome/Chromium.
- Browsers developed based on Chromium (like Opera ...).
- Browsers developed based on Webview.
- Android Apps that uses Webview and can access any website.
- Software that uses the Chromium and can access any website.
- Sqlite shell (with FTS3 enabled, as described by medias).
- Programs, scripts, or Apps that use a Sqlite component with FTS3 enabled and accept external input for Sql statements.
- Programs, scripts, or Apps that open FTS3 and accept import from external sql backup
In those conditions program will not be affected:
- No external SQL request is accepted.
- FTS3 is disabled.
- 1st Nov 2018 Reported vulnerabilities to Google.
- 1st Nov 2018 Vulnerabilities confirmed by Google.
- 3rd Nov 2018 Vulnerabilities reported to SQLite.
- 5th Nov 2018 SQLite released 3.25.3 to fix vulnerabilities.
- 28th Nov 2018 Google fixed vulnerabilities.
- 1st Dec 2018 SQLite released 3.26.0, introducing defense in depth.
- 3rd Dec 2018 Google released the official Chrome version 71.0.3578.80.
- 20th Dec 2018 Google decided to reward, the bonus is $10337.
- 21th Dec 2018 CVE ID has been assigned as CVE-2018-20346, CVE-2018-20505, CVE-2018-20506.
Tencent Blade Team was founded by Tencent Security Platform Department, focusing in security researches of AI, Mobile Internet, IoT and other cutting-edge technologies. So far, Tencent Blade Team has reported more than 100 security vulnerabilities to a large number of international manufacturers, including Google, Apple, Amazon and Adobe. In the future, Tencent Blade Team will continue to make the Internet a safer place for everyone.
Contact us: firstname.lastname@example.org
Copyright © 2018 Tencent Security Platform Department.All Rights Reserved.