da Kwanan nan masu binciken Check Point suka bayyana a cikin taron DEF tare da cikakkun bayanai na wata sabuwar dabara da aka gano, ana amfani da wannan pDon kai hari ga aikace-aikacen da ke amfani da sifofin SQLite masu rauni.
Hanyar Duba Point yana ganin fayilolin bayanan bayanai azaman dama don haɗuwa da yanayin yanayin cutarwa a cikin ƙananan tsarin SQLite na ciki waɗanda ba su da damar yin amfani da goshin goshi. Masu binciken sun kuma kirkiro wata dabara don amfani da yanayin rauni tare da amfani da lambar adadi ta hanyar jerin tambayoyin Zaɓi a cikin bayanan SQLite, wanda ke ba da damar kaucewa ASLR.
Game da rauni
Masu binciken Check Point sun yi bayani dalla-dalla kan hakan don cin nasarar nasara, mai kawo hari dole ne ya sami damar gyara fayilolin rumbun adana bayanan aikace-aikacen da aka kai hari, wanda ke iyakance hanyar afkawa aikace-aikacen da suke amfani da bayanan bayanan SQLite azaman tsari don wucewa da shigar da bayanai.
Kodayake sun kuma bayyana cewa ana iya amfani da hanyar don fadada hanyar cikin gida da aka riga aka samu, misali, don haɗa ɓoyayyun ƙofofi a ɓoye cikin aikace-aikacen da aka yi amfani da su, tare da kauce wa masu bincike na tsaro yayin nazarin ɓarnatarwar.
Aikin bayan kwaikwayon fayil ana yinsa a lokacin da aikace-aikacen ke aiwatar da buƙata ta farko ta zaɓaɓɓen Zabi zuwa tebur a cikin ingantaccen bayanan bayanan.
A matsayin misali, an nuna ikon yin lambar kan iOS yayin buɗe littafin adireshin, fayil din tare da bayanan «Littafin adireshi.sqlitedb»Wanda aka canza shi ta amfani da hanyar da aka tsara.
Don harin, anyi amfani da yanayin rauni a cikin aikin fts3_tokenizer (CVE-2019-8602, ikon yin rajistar mai nunawa), an gyara shi a cikin sabuntawar SQLite na 2.28 na Afrilu, tare da wani rauni a cikin aiwatar da ayyukan taga.
Har ila yau, yana nuna yadda ake amfani da hanyar don karɓar ragowar sabar bayan gida daga maharan da aka rubuta a cikin PHP, wanda ke tattara kalmomin shiga da aka katse yayin aikin lambar ƙeta (an shigar da kalmomin shiga ta hanyar sigar SQLite).
Hanyar harin ta dogara ne da amfani da fasahohi guda biyu, Fashin Jirgin Ruwa da kuma Shirye-shiryen Tambayoyi, wanda ke ba da damar matsaloli na son kai wanda ke haifar da gurbatar ƙwaƙwalwar ajiya a cikin injin na SQLite.
Jigon "satar bayanai" shine maye gurbin abun cikin filin "sql" a cikin teburin sabis na sqlite_master wanda ke bayyana tsarin bayanan. Filin da aka ƙayyade ya ƙunshi toshe DDL (Harshen Ma'anar Bayanai) wanda aka yi amfani dashi don bayyana tsarin abubuwa a cikin rumbun adana bayanai.
An saita bayanin ta amfani da daidaitaccen SQL, watau. Ginin "CREATE TABLE", wanda aka aiwatar dashi yayin fara aiwatar da bayanai (yayin aiwatarwar farko na aikin sqlite3LocateTable) ana amfani dashi don ƙirƙirar tsarin ciki wanda ke haɗe da tebur a ƙwaƙwalwar ajiya.
Tunanin shine sakamakon maye gurbin "HALITTAR BABU" da "KIRKIRAN RA'AYI, yana yiwuwa a iya sarrafa duk wata hanyar samun bayanai ta hanyar ma'anar ganinta.
A gefe guda kuma, ta amfani da umarnin "CREATE VIEW", an sanya aikin "SELECT" a teburin, wanda za'a kira shi maimakon "CREATE TABLE" kuma zai baiwa maharin damar shiga sassa daban-daban na mai fassara SQLite.
Bayan wannan, hanya mafi sauki da za a kai wa hari ita ce a kira aikin "load_extension", wanda ke ba maharin damar iya loda laburaren da ba na yarda ba tare da fadada shi, amma wannan aikin an kashe shi ta hanyar da ba ta dace ba.
Don aiwatar da farmaki a ƙarƙashin yanayin ikon aiwatar da zaɓen zaɓi, an ba da shawarar dabarun yin amfani da tambayoyin, wanda ke ba da damar amfani da matsaloli a cikin SQLite wanda ke haifar da lalata ƙwaƙwalwar.
Dabarar tana tuno da Shirye-shiryen Shirye-shiryen Daidaitawa (ROP), amma yana amfani da maɓuɓɓuka masu amfani da lambar mashin, amma an saka shi a cikin wasu ƙananan yankuna a cikin Zabi don gina jerin kira ("na'urori")
Source: https://threatpost.com/