Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ptsecurityPositive TechnologiesPT-2012-22
HistoryJun 09, 2012 - 12:00 a.m.

PT-2012-22: Format String Vulnerability in SQLite

2012-06-0900:00:00
Positive Technologies
4
JSON

PT-2012-22: Format String Vulnerability in SQLite

Vulnerable software

SQLite
Version: 3.7.13 and earlier
Operation system: OS/2 (eComStation)

Application link:
<http://sqlite.org/&gt;[](&lt;http://www.opencart.com/&gt;)[](&lt;http://www.opencart.com/&gt;)

Severity level

Severity level: Medium
Impact: Denial of Service
Access Vector: Local

CVSS v2:
Base Score: 5.5
Vector: (AV:L/AC:M/Au:S/C:C/I:P/A:P)

CVE: not assign

Software description

SQLite is a lightweight embedded relational database.

Vulnerability description

The specialists of the Positive Research center have detected format string vulnerability in SQLite.

While opening a file via SQLite on the OS/2 operating system (eComStation), the path, to be converted from a relative one to an absolute one, is handled by the os2FullPathname function. As part of the function’s execution process, the path gets into the sqlite3_snprintf function as a format string, and not as an argument for a format string. This allows attackers to use escape sequences in the format string.

The vulnerability is in the file /sqlite3.c.
Vulnerable code fragment:

static int os2FullPathname(

const char zRelative, / Possibly relative input path */

char zFull / Output buffer */
){
char *zRelativeCp = convertUtf8PathToCp( zRelative );

APIRET rc = DosQueryPathInfo( (PSZ)zRelativeCp, FIL_QUERYFULLNAME,
zFullCp, CCHMAXPATH );
free( zRelativeCp );
zFullUTF = convertCpPathToUtf8( zFullCp );
sqlite3_snprintf( nFull, zFull, zFullUTF );

Exploitation Exapmle
Opening the database named “%s%s%s%s%s%s%s” will trigger SQLite failure.

How to fix

From June 21, 2012 the vendor does not support SQLite for OS/2. Version 3.7.13 and earlier are vulnerable.

Advisory status

10.07.2012 - Vendor is notified
06.09.2012 - Public disclosure

Credits

The vulnerabilities has discovered by Sergey Bobrov, Positive Research Center (Positive Technologies Company)

References

<http://en.securitylab.ru/lab/PT-2012-22&gt;

Reports on the vulnerabilities previously discovered by Positive Research:

<http://ptsecurity.com/research/advisory/&gt;
<http://en.securitylab.ru/lab/&gt;

JSON