Multiple commands injection into cmd/cmdj while implementing automation scripts

[a1ext]

Environment

• Windows 7 x64
• radare2 version: built with debug su

radare2 3.1.0-git 19775 @ windows-x86-64 git.3.0.1-19-g92982e44f
commit: 92982e44f8cd4a1908829200787d6a6ca50929bb build: 23.10.2018__22:56:48,08

Story

While working on some new sample, I was writing a script for decoding embed strings. It has some getting pointers, reading encrypted string, string deciphering and adding a comment to the place, where the string is. Script is looked as the following:

r2 = r2pipe.open(r'path-to-a-binary')
ea = 0x14002a1f0
end_ea = 0x14002ae10

while ea < end_ea:
        va = r2.cmdj('pxqj 8 @ 0x%x' % ea)  # read qword of string pointer
        if not va:
            break
        va = va[0]

        s = r2.cmd('px0 @ 0x%x' % va)  # should be optimized, in case there is 2GB string :)
        if not s:
            break
        s = bytes.fromhex(s) + b'==='
        if not s:
            print('- cannot get str at %08x' % ea)
            break

        try:
            print('trying to decrypt: %08x' % va)
            decr = decrypt_str(s)
            print('%08x: "%r"' % (va, decr.decode('utf8')))
            r2.cmd('CCa 0x%x "%s"' % (va, decr.decode('utf8')))  # <<< problem command
        except:
            print('cannot decode string at %08x "%s": %s' % (va, s, traceback.format_exc()))
        ea += 8

While running this script I got the assertion failure:

That was strange, because a stack trace showed that this code is inside rading from console:

Digging deeper into this, I realized that some of the comments which was passed to CCa command had have \n inside. So, that means a comment string was splitted by radare by \n and interpreted as a separate command. The following code finfirmed my thoughts:

the string after \n is lol and was interpreted by radare2 as list files and directories command.

This means if user automatically decrypts some string and wanted to store it as a comment, he can occasionnaly run some valid radare2 command and pwn itself. For example he can write some shellcode and execute it or spawn some shell command.

[radare]

there a subcommand of CC that uses base64 as argument, so you wont have such command injection problems if you do it that way

…

On 23 Oct 2018, at 22:49, a1ext ***@***.***> wrote: view it on GitHub <#77>

[a1ext]

Hi @radare,
Is it safe to users to keep this behavior? Is it docummented what cmd/cmdj can run many commands at once?

[radare]

yeah may be good to document the behaviour of newlines and semicolons

…

On 23 Oct 2018, at 22:58, a1ext ***@***.***> wrote: Hi @radare <https://github.com/radare>, Is it safe to users to keep this behavior? Is it docummented what cmd/cmdj can run many commands at once? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#77 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA3-lsqS9ZicWXiwh2cLWmd_jX4RR0ciks5un4LxgaJpZM4X2ooQ>.