Researchers at security conference Def Con 2019 demonstrated a method of exploiting regular database searches to produce malicious results, and used Apple's standard iOS Contacts app to prove it.
Apple's iOS Contacts is one of the many applications that uses SQLite
Security firm Check Point has demonstrated a vulnerability in the industry-standard SQLite database format which can be exploited. Speaking at Def Con 2019, the company showed the technique being used to manipulate Apple's iOS Contacts app. Searching the Contacts app under these circumstances can be enough to make the device run malicious code.
"SQLite is the most wide-spread database engine in the world," said the company in a statement. "It is available in every operating system, desktop and mobile phone. Windows 10, macOS, iOS, Chrome, Safari, Firefox and Android are popular users of SQLite."
"In short, we can gain control over anyone who queries our SQLite-controlled database," they continued.
When you search for a contact or look up information in any app, you are really searching a database and very commonly that will be using SQLite.
Documented in a 4,000-word report seen by AppleInsider, the company's hack involved replacing one part of Apple's Contacts app and it also relied on a known bug that has hasn't been fixed four years after it was discovered.
"Wait, what? How come a four-year-old bug has never been fixed?" write the researchers in their document. "This feature was only ever considered vulnerable in the context of a program that allows arbitrary SQL from an untrusted source and so it was mitigated accordingly. However, SQLite usage is so versatile that we can actually still trigger it in many scenarios."
In other words, the bug has been considered unimportant because it was believed it could only be triggered by an unknown application accessing the database, and in a closed system like iOS, there are no unknown apps. However, Check Point's researchers then managed to make a trusted app send the code to trigger this bug and exploit it.
They replaced a specific component of the Contacts app and found that while apps and any executable code has to have gone through Apple's startup checks, an SQLite database is not executable.
"Persistency [keeping the code on the device after a restart] is hard to achieve on iOS," they said, "as all executable files must be signed as part of Apple's Secure Boot. Luckily for us, SQLite databases are not signed."
Detail from the Check Point team's hack documentation
They had to have access to the unlocked device to install this replacement for part of Contacts. After that, though, they were able to choose what they wanted to happen when the Contacts database was searched.
For the purpose of the demonstration, they just had the app crash. The researchers said that they could have crafted the app to steal passwords.
"We established that simply querying a database may not be as safe as you expect," they said. "We proved that memory corruption issues in SQLite can now be reliably exploited."
"Our research and methodology have all been responsibly disclosed to Apple," they concluded.
This is not the first time that a problem in an SQLite database has resulted in a bug, nor one that remained unfixed for years.