Command injection across r_sys_cmd* #16945
Comments
|
@meme do you want to register a CVE for this? |
|
I believe pancake was registering one, I will confirm. |
|
Seems that it's up to me -- I'm not sure if I can register a CVE since it's not my project, though? |
|
@meme of course not, you can register CVE for any project. |
|
Requested a CVE from the GitHub CNA and they rejected my request: "At this time, we only support package maintainers requesting CVEs." Which CNA should I contact for the radare2 project? |
|
We will register CVE right after 4.5.0 is released. |
|
Should be able to be closed now? Or are we waiting on the CVE # |
|
@meme we are waiting for the CVE, I will send here a link once registered and will close this. Thanks for your work! |
|
This was assigned CVE-2020-15121. |
|
Here is the published security advisory: GHSA-r552-vp94-9358 |
Work environment
Expected behavior
idpddoes not cause untrusted code execution on my system.Actual behavior
Malformed PDB file names in the PDB server path cause shell injection via the following codepath:
https://github.com/radareorg/radare2/blob/master/libr/bin/pdb/pdb_downloader.c#L93-L99
In effect,
$(...)is not escaped properly, causing this issue. Note that this is not an isolated case in the code base,grepforr_sys_cmdforr_sys_cmdfor more potential attack vectors.Steps to reproduce the behavior
Open the executable in radare2 and run
idpdto trigger the download. The shell code will execute, and will create a file calledpwnedin the current directory.Additional Logs, screenshots, source-code, configuration dump, ...
I have just used a hex editor to patch the
dbg_fileto$(touch pwned)in a PE file from theradare2-testbinsrepository.ConsoleApplication1.zip (password is
infected)The example above is specific to the PDB downloader, but more investigation is required to uncover all the possible attack vectors in the radare2 code-base.
The text was updated successfully, but these errors were encountered: