PT-2012-22: Format String Vulnerability in SQLite

Vulnerable software

SQLite
Version: 3.7.13 and earlier
Operation system: OS/2 (eComStation)

Application link:
http://sqlite.org/

Severity level

Severity level: Medium
Impact: Denial of Service
Access Vector: Local  

CVSS v2:
Base Score: 5.5
Vector: (AV:L/AC:M/Au:S/C:C/I:P/A:P)

CVE: not assign

Software description

SQLite is a lightweight embedded relational database.

Vulnerability description

The specialists of the Positive Research center have detected format string vulnerability in SQLite.

While opening a file via SQLite on the OS/2 operating system (eComStation), the path, to be converted from a relative one to an absolute one, is handled by the os2FullPathname function. As part of the function’s execution process, the path gets into the sqlite3_snprintf function as a format string, and not as an argument for a format string. This allows attackers to use escape sequences in the format string.

The vulnerability is in the file /sqlite3.c.
Vulnerable code fragment:

static int os2FullPathname(
...
const char *zRelative,      /* Possibly relative input path */
...
char *zFull                 /* Output buffer */
){
char *zRelativeCp = convertUtf8PathToCp( zRelative );
...
APIRET rc = DosQueryPathInfo( (PSZ)zRelativeCp, FIL_QUERYFULLNAME,
zFullCp, CCHMAXPATH );
free( zRelativeCp );
zFullUTF = convertCpPathToUtf8( zFullCp );
sqlite3_snprintf( nFull, zFull, zFullUTF );
...

Exploitation Exapmle
Opening the database named "%s%s%s%s%s%s%s" will trigger SQLite failure.

How to fix

From June 21, 2012 the vendor does not support SQLite for OS/2. Version 3.7.13 and earlier are vulnerable.

Advisory status

10.07.2012 - Vendor is notified
06.09.2012 - Public disclosure

Credits

The vulnerabilities has discovered by Sergey Bobrov, Positive Research Center (Positive Technologies Company)

References

http://en.securitylab.ru/lab/PT-2012-22

Reports on the vulnerabilities previously discovered by Positive Research:

http://ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/

Threatscape
Visionary WAF – Constant innovation