Magellan 2.0: Google addressed a new set of vulnerabilities

chrome

Experts warn of 5 new flaws in Google Chrome dubbed Magellan 2.0

Google has patched five bugs in SQLite, called Magellan 2.0, that an intruder might abuse to execute malicious code within the Chrome browser remotely.
Engineers from the Tencent Blade Security Team found the bugs.

The issue is related to a feature called the WebSQL API that exposes users of Chrome to remote attacks, it is disabled by design. The JavaScript code is converted into SQL commands by the WebSQL API, which are then performed against the SQLite database.

Exactly a year ago, a critical vulnerability in SQLite database software was revealed by the same team of experts that exposed billions of vulnerable hacker apps.

The bug monitored as’ Magellan’ can enable remote attackers to execute arbitrarily on compromised computers, leak software memory, or trigger the application crash to cause dos condition.

SQLite is a widely adopted system for the management of relational databases in a C programming library. SQLite is not a client-server database engine, unlike many other database management frameworks. It’s rooted in the end system instead.

Millions of systems and billions of deployments using SQLite, Magellan theoretically impacts IoT computers, macOS and Windows phones.

The bugs in Magellan was triggered by inadequate validation of inputs in SQL commands sent from a third party to the SQLite database.

When the SQLite database engine reads their SQLite process, an intruder can use specially crafted SQL operations containing malicious code to execute commands on behalf of the attacker.

“Magellan 2.0 is some vulnerabilities that exist in SQLite (Former was: Magellan 1.0 ). These vulnerabilities were found by Tencent Blade Team and verified to be able to exploit remote code execution in Chromium render process.” reads the advisory published by the experts. “As a well-known database, SQLite is widely used in all modern mainstream operating systems and softwares, so this vulnerability has a wide range of influence. SQLite and Google had confirmed and fixed these vulnerabilities.”

The flaws, tracked as CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752, CVE-2019-13753, could cause execution of remote code or allow system memory to leak or crash.

To store different browser settings and user data, Google Chrome utilizes an internal SQLite database.

With the announcement of Google Chrome 79.0.3945.79, Google fixed the five bugs in Magellan 2.0.

The good news is that Tencent was unaware of any Magellan 2.0 public exploit code or threats in the wild that abuse the bugs. The researchers did not release information about them at the time of announcement of the vulnerabilities.

Vulnerabilities Timeline

  • 16 Nov 2019 Reported to Google and SQLite.
  • 16 Nov 2019 Vulnerabilities confirmed by Google.
  • 27 Nov 2019 Google and SQLite fixed vulnerabilities.
  • 27 Nov 2019 Tencent Blade Team provided a fuzzer to Google.
  • 11 Dec 2019 Google released the official Chrome version 79.0.3945.79.
  • 11 Dec 2019 CVE ID has been assigned as CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752, CVE-2019-13753.
Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.