ASA-2019-00542 – radare2: Command injection in bin_symbols()

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00542

Identifier(s)

ASA-2019-00542, CVE-2019-14745

Title

Command injection in bin_symbols()

Vendor(s)

The radare2 project

Product(s)

radare2

Affected version(s)

radare2 before version 3.7.0

Fixed version(s)

radare2 version 3.7.0

Proof of concept

Yes

Description

In radare2 before 3.7.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it’s possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to improper handling of symbol names embedded in executables.

Technical details

By replacing a symbol name like gethostname with:

`! <cmd>`

using r2 or a hex editor, it becomes possible to provide an arbitrary shell command within a binary. Since it’s quite common to analyse and debug untrusted and malicious binaries, this seems like a great attack scenario since this is largely invisible for potential victims. Also, the shell command doesn’t even get printed into the console after it has been executed:

|ERROR| Invalid command 'f sym.imp.p 99`AAAAAAAAAAA 16 0x557aa086c000' (0x66)

No sign of the sleep command. The function that’s executing r_core_cmd0(core, ".is*") internally is called r_core_file_reopen_debug(). This is invoked by the ood command.

r2 -c "ood" -d /tmp/hax
--> PWNED

Credits

ps1337 and blenk92

Reference(s)

r2con 2019 PwnDebian Challenge: Exploiting radare2 (CVE-2019-14745)
https://bananamafia.dev/post/r2-pwndebian/

bin_symbols: Add quoting #14690
https://github.com/radareorg/radare2/pull/14690

bin_symbols: Add quoting (#14690)
https://github.com/radareorg/radare2/commit/7d30ff52fc1be6f9698b166107b8981eab6ec7ba

Demangle relocs and add asm.flags.{inline|limit|maxname} ##disasm
https://github.com/radareorg/radare2/commit/5ecd4c352bae1114730321fec2bde72332f8f090

GitHub – ps1337/r2-pwndebian-exploits
https://github.com/ps1337/r2-pwndebian-exploits

ASA-2019-00543 – radare2: Command injection in bin_symbols()
https://allelesecurity.com/asa-2019-00543/

CVE-2019-14745
https://security-tracker.debian.org/tracker/CVE-2019-14745

CVE-2019-14745 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14745.html

CVE-2019-14745
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14745

CVE-2019-14745
https://nvd.nist.gov/vuln/detail/CVE-2019-14745

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: September 26, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.