SQLite Vulnerability Permits iOS Hack: ReportCheck Point Researchers Say Flaw Allows Execution of Malicious Code
Security researchers at Check Point Software Technologies have uncovered an SQLite database vulnerability in Apple iOS devices that can run malicious code capable of stealing passwords and gaining persistent control on affected devices.
SQLite is a widely used database engine in mobile operating systems that’s primarily used to run various applications. Apple uses the database in iOS for its iPhones and iPods, according to the SQLite website.
Presenting their study at the 2019 DEF CON security conference in Las Vegas last week, Omar Gul and Omri Herscovici of Check Point manipulated the memory-correction flaw in SQLite in iPhone's contact app called iMessenger and another unpatched bug within Apple's operating system, CVE-2015-7036, to gain access control of the device.
The researchers developed a modified “contacts” app to demonstrate the attack and the ability to carry out a remote code execution that could steal stored passwords from the device's back end.
"In our long term research, we experimented with the exploitation of memory corruption issues within SQLite without relying on any environment other than the SQL language," the researchers note in a blog. "Using our innovative techniques, we proved it is possible to reliably exploit memory corruptions issues in the SQLite engine.”
According to the researchers, the vulnerability is common to all iOS devices and all major service - including Facetime, Springboard, WhatsApp, Telegram and XPCProxy - that share data from Apple's iMessenger app.
SQLite and Unpatched Bug
All applications running on iOS devices use Apple's Secure Boot feature, which provides an extra layer of protection to these devices. The researchers note, however, that SQLite does not use Secure Boot, which enabled them to inject malicious payloads into the SQLite database.
By replacing the features within iMessage, the researchers were able to trigger the malicious code, through the querying process - each time iMessage queries the malicious SQLite file, the attacker is given more operating system privileges.
To achieve remote code execution, the researchers exploited the second dormant bug - CVE-2015-7036 - by developing a trusted app. This second bug, which was discovered four years ago, has not been patched by Apple because it can only be triggered by unknown applications accessing the database and iOS' inherent security features in iOS do not permit any unknown apps.
"This feature was only ever considered vulnerable in the context of a program that allows arbitrary SQL from an untrusted source (Web SQL), and so it was mitigated accordingly," the researchers say. "However, SQLite usage is so versatile that we can actually still trigger it in many scenarios."
The researchers have shared their findings with Apple. Check Point and Apple did not immediately reply to a request for comment on the findings. A spokesperson for Check Point, however, told Inc. that the company has not seen any exploits in the wild. And hackers would need direct access to an unlocked iPhone to replace the component of the contacts app needed to take advantage of the SQLite vulnerability, Fast Company reports.
Unsecure Security Guards
Earlier, security researchers uncovered a mechanism to bypass a current security feature within Apple products (see: Researcher Finds New Way Around Apple's Gatekeeper ).
In May, researcher Filippo Cavallarin, discovered flaws within "Gatekeeper" - a security feature for the macOS operating system that authenticates apps by checking if they are digital signed by Apple. The researcher exploited this feature to mark external drives and network shares as "safe."