YoVDO

Exploring and Exploiting the SQLite

Offered By: Hack In The Box Security Conference via YouTube

Tags

Hack In The Box Security Conference Courses SQLite Courses Remote Code Execution (RCE) Courses Database Security Courses Exploit Development Courses Security Research Courses

Course Description

Overview

Explore the intricacies of SQLite vulnerabilities and exploitation techniques in this comprehensive conference talk from the Hack In The Box Security Conference. Delve into the discovery of the Magellan vulnerabilities and their impact on Google Home and Chrome. Learn about new protective measures implemented in SQLite and WebSQL. Examine seven newly discovered vulnerabilities and three bugs that can be chained together to bypass Defense-In-Depth and cause Remote Code Execution in Chrome through WebSQL. Gain insights into manual auditing techniques and the development of an effective fuzzer, sqlite3_shadow_table_fuzzer, now running on Google's ClusterFuzz. Understand the weaknesses in existing fuzzers and strategies for optimizing vulnerability discovery. Follow along as the speaker demonstrates auditing strategies for blobs, memory operations, and special commands. Discover the power of shadow tables and structure-aware fuzzing in identifying security flaws. Learn how to bypass Defense-In-Depth measures and create fake objects to stabilize the heap for successful exploitation. Conclude with valuable insights on improving security research efficiency and effectiveness in SQLite and related technologies.

Syllabus

Intro
Tencent Blade Team
Agenda
The Magellan 2.0
Vulnerabilities or Bugs Found by the Fuzzer
Auditing Strategies: Blobs
Auditing Strategies: The memory operations
Auditing Strategies: Special Commands
Shadow Tables
Structure-Aware Fuzzing
How the Fuzzer is Implemented
Differences from Google's (1)
Raw Data
Generated Testcase
Preparations
Initial Queries of the Fuzzer
The Structure opdata_16
Example of Translating Opcode to Query
Table Selector and Column Selector
SQL Operation Selector
Get Data from Data Provider
Run Generated SQL Queries
Bypass the Defense-In-Depth
It's a Little Bit' Tough
Let's Make Some Fake Objects
Stabilize the Heap and the RCE
Get Uninitialized Heap Data
Overwrite the sqlite3Config
Set the Memory Page to RWX
Restore the Stack
Conclusion


Taught by

Hack In The Box Security Conference

Related Courses

CNIT 127: Exploit Development
CNIT - City College of San Francisco via Independent
Offensive Penetration Testing
LinkedIn Learning
Penetration Testing: Advanced Kali Linux
LinkedIn Learning
Reverse Engineering Linux 32-bit Applications
PentesterAcademy
Exploit Development and Execution with the Metasploit Framework
Pluralsight