Exploring the New World : Remote Exploitation of SQLite and Curl

Black Hat USA 2019

Presented by: YuXiang Li, Wenxiang Qian, HuiYu Wu
Date: Thursday August 08, 2019
Time: 17:00 - 18:00
Location: Lagoon GHI

Over the past years, our team has used several new approaches to identify multiple critical vulnerabilities in SQLite and Curl, two of the most widely used basic software libraries. These two sets of vulnerabilities, which we named "Magellan" and "Dias" respectively, affect many devices and software. We exploited these vulnerabilities to break into some of the most popular Internet of things devices (including Google Home with Chrome), one of the most widely used Web server (Apache+PHP) and one of the most commonly used developer tool (Git).

In this presentation, we will share new methods to discover vulnerabilities in SQLite and Curl through Fuzz and manual auditing. Through these methods, we found "Magellan", a set of three heap buffer overflow and heap data disclosure vulnerabilities in SQLite ( CVE-2018-20346, CVE-2018-20505 CVE-2018-20506 ) We also found "Dias", two remote memory leak and stack buffer overflow vulnerabilities in Curl ( CVE-2018-16890 and CVE-2019-3822 ). Considering the fact that these vulnerabilities affect many systems and software, we have issued a vulnerability alert to notify the vulnerable vendor to fix it.

We will disclose the details of "Magellan" and "Dias" for the first time and highlight some of our new vulnerability exploitation techniques. In the first part, we will analyze how to use Magellan to complete the first public remote exploit of Google Home. In the second part, we will talk about how to use Dias to complete the remote attack on Apache+PHP and Git. Finally, we will summarize our research and provide some security development advice to the basic software library developers.

Wenxiang Qian

Qian Wenxiang is a senior security researcher at Tencent Blade Team and focuses on security research of IoT devices. He also does security audits for web browsers. He was on the top 100 of annual MSRC list (2016 & 2017 ) and speaker of DEFCON 26 and published a book called "Whitehat Talk About Web Browser Security ".

YuXiang Li

Li YuXiang is a senior security researcher at Tencent Blade Team, specialized in the study of Mobile Security and IoT Security. He has reported multiple vulnerabilities of Android and received acknowledgments from Google & Huawei. He was a speaker of HITB AMS 2018 and XCON 2018.

HuiYu Wu

Wu HuiYu is a senior security researcher at Tencent Blade Team, and full stack security engineer that focuses on IoT security and mobile security. He is also a bug hunter, winner of GeekPwn 2015, and speaker of DEFCON 26, HITB 2018 AMS and POC2017.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats