-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Command injection across r_sys_cmd* #16945
Comments
@meme do you want to register a CVE for this? |
I believe pancake was registering one, I will confirm. |
Seems that it's up to me -- I'm not sure if I can register a CVE since it's not my project, though? |
@meme of course not, you can register CVE for any project. |
Requested a CVE from the GitHub CNA and they rejected my request: "At this time, we only support package maintainers requesting CVEs." Which CNA should I contact for the radare2 project? |
We will register CVE right after 4.5.0 is released. |
Should be able to be closed now? Or are we waiting on the CVE # |
@meme we are waiting for the CVE, I will send here a link once registered and will close this. Thanks for your work! |
This was assigned CVE-2020-15121. |
Here is the published security advisory: GHSA-r552-vp94-9358 |
Work environment
Expected behavior
idpd
does not cause untrusted code execution on my system.Actual behavior
Malformed PDB file names in the PDB server path cause shell injection via the following codepath:
https://github.com/radareorg/radare2/blob/master/libr/bin/pdb/pdb_downloader.c#L93-L99
In effect,
$(...)
is not escaped properly, causing this issue. Note that this is not an isolated case in the code base,grep
forr_sys_cmdf
orr_sys_cmd
for more potential attack vectors.Steps to reproduce the behavior
Open the executable in radare2 and run
idpd
to trigger the download. The shell code will execute, and will create a file calledpwned
in the current directory.Additional Logs, screenshots, source-code, configuration dump, ...
I have just used a hex editor to patch the
dbg_file
to$(touch pwned)
in a PE file from theradare2-testbins
repository.ConsoleApplication1.zip (password is
infected
)The example above is specific to the PDB downloader, but more investigation is required to uncover all the possible attack vectors in the radare2 code-base.
The text was updated successfully, but these errors were encountered: