Skip to content

ayappanec/CVE-2022-35737

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
Dockerfile
Dockerfile
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
pdo-sqlite3-quote-poc.php
pdo-sqlite3-quote-poc.php
 
 
placeholder.sql3
placeholder.sql3
 
 
snprintf-control-pc.c
snprintf-control-pc.c
 
 
snprintf-crash.c
snprintf-crash.c
 
 
snprintf-good-example.c
snprintf-good-example.c
 
 
snprintf-livelock.c
snprintf-livelock.c
 
 

Repository files navigation

CVE-2022-35737

Integer overflow in SQLite3 sqlite3_str_vappendf function.

CVSS 6.7 AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

CVE-2022-35737 was introduced in SQLite version 1.0.12 and fixed in release 3.39.2, available on July 21, 2022. It is exploitable on 64-bit systems, and exploitability depends on how the program is compiled: arbitrary code execution is confirmed when the library is compiled without stack canaries, but unconfirmed when stack canaries are present; denial-of-service is confirmed in all cases.

Large string inputs to the sqlite3_str_vappendf function can cause signed integer overflow when the format specifier is %q, %Q, or %w. This can cause user-controlled data to be written beyond the bounds of a stack-allocated buffer, resulting in program crash, infinite loop, or possible arbitrary code execution.

This repository contains proof-of-concept code that demonstrate the exploitation of the vulnerability.

Proofs-of-Concept

snprintf-good-example.c

Demonstrate that sqlite3_snprintf correctly escapes all existing single-quote characters and adds a leading and trailing single quote to a short string.

Expected outcome:

$ ./snprintf-good-example
src: hello, 'world'!
dst: 'hello, ''world''!'

snprintf-crash.c

Demonstrate that sqlite_snprintf crashes when called with sufficiently large strings.

Expected outcome: SIGSEGV

$ ./snprintf-crash
Segmentation fault (core dumped)

snprintf-control-pc.c

Demonstrate that it is possible to control the length of the buffer overflow to overwrite targeted data on the stack, like the stack canary and saved return address.

Expected outcome: SIGABRT

$ ./snprintf-control-pc
*** stack smashing detected ***: terminated
Aborted (core dumped)

snprintf-livelock.c

Demonstrate that it is possible to cause the vulnerable program to loop nearly endlessly (2^64 iterations).

Expected outcome: loop endlessly (on a reasonable timescale)

$ ./snprintf-livelock
<no output>
^C

pdo-sqlite3-quote-poc.php

Demonstrate that CVE-2022-35737 is reachable from the PHP interpreter when run with non-default memory limits.

Expected outcome: SIGSEGV

$ php pdo-sqlite3-quote-poc.php
Segmentation fault (core dumped)

Dockerfile

If desired, the proofs-of-concept can be executed in a Docker container that has dependencies pinned to the vulnerable version of the SQLite library.

$ docker build -t cve-2022-35737 .
$ docker run -it --rm cve-2022-35737 /bin/bash
root@289cef859649:/poc# ./snprintf-crash
Segmentation fault (core dumped)

About

Stranger strings: CVE-2022-35737

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 77.3%
  • Makefile 9.9%
  • Dockerfile 9.7%
  • PHP 3.1%