PT-2012-22: Format String Vulnerability in SQLite Vulnerable softwareSQLite Version: 3.7.13 and earlier Operation system: OS/2 (eComStation)Application link: http://sqlite.org/Severity levelSeverity level: Medium Impact: Denial of Service Access Vector: Local CVSS v2: Base Score: 5.5 Vector: (AV:L/AC:M/Au:S/C:C/I:P/A:P)CVE: not assign Software descriptionSQLite is a lightweight embedded relational database.Vulnerability descriptionThe specialists of the Positive Research center have detected format string vulnerability in SQLite.While opening a file via SQLite on the OS/2 operating system (eComStation), the path, to be converted from a relative one to an absolute one, is handled by the os2FullPathname function. As part of the function’s execution process, the path gets into the sqlite3_snprintf function as a format string, and not as an argument for a format string. This allows attackers to use escape sequences in the format string.The vulnerability is in the file /sqlite3.c. Vulnerable code fragment:static int os2FullPathname( ... const char *zRelative, /* Possibly relative input path */ ... char *zFull /* Output buffer */ ){ char *zRelativeCp = convertUtf8PathToCp( zRelative ); ... APIRET rc = DosQueryPathInfo( (PSZ)zRelativeCp, FIL_QUERYFULLNAME, zFullCp, CCHMAXPATH ); free( zRelativeCp ); zFullUTF = convertCpPathToUtf8( zFullCp ); sqlite3_snprintf( nFull, zFull, zFullUTF ); ...Exploitation Exapmle Opening the database named "%s%s%s%s%s%s%s" will trigger SQLite failure. How to fixFrom June 21, 2012 the vendor does not support SQLite for OS/2. Version 3.7.13 and earlier are vulnerable.Advisory status 10.07.2012 - Vendor is notified 06.09.2012 - Public disclosureCreditsThe vulnerabilities has discovered by Sergey Bobrov, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2012-22 Reports on the vulnerabilities previously discovered by Positive Research:http://ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/