New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Command injection across r_sys_cmd* #16945
Comments
|
@meme do you want to register a CVE for this? |
|
I believe pancake was registering one, I will confirm. |
|
Seems that it's up to me -- I'm not sure if I can register a CVE since it's not my project, though? |
|
@meme of course not, you can register CVE for any project. |
|
Requested a CVE from the GitHub CNA and they rejected my request: "At this time, we only support package maintainers requesting CVEs." Which CNA should I contact for the radare2 project? |
|
We will register CVE right after 4.5.0 is released. |
|
Should be able to be closed now? Or are we waiting on the CVE # |
|
@meme we are waiting for the CVE, I will send here a link once registered and will close this. Thanks for your work! |
|
This was assigned CVE-2020-15121. |
|
Here is the published security advisory: GHSA-r552-vp94-9358 |
Work environment
Expected behavior
idpddoes not cause untrusted code execution on my system.Actual behavior
Malformed PDB file names in the PDB server path cause shell injection via the following codepath:
https://github.com/radareorg/radare2/blob/master/libr/bin/pdb/pdb_downloader.c#L93-L99
In effect,
$(...)is not escaped properly, causing this issue. Note that this is not an isolated case in the code base,grepforr_sys_cmdforr_sys_cmdfor more potential attack vectors.Steps to reproduce the behavior
Open the executable in radare2 and run
idpdto trigger the download. The shell code will execute, and will create a file calledpwnedin the current directory.Additional Logs, screenshots, source-code, configuration dump, ...
I have just used a hex editor to patch the
dbg_fileto$(touch pwned)in a PE file from theradare2-testbinsrepository.ConsoleApplication1.zip (password is
infected)The example above is specific to the PDB downloader, but more investigation is required to uncover all the possible attack vectors in the radare2 code-base.
The text was updated successfully, but these errors were encountered: