Allele Security Alert
ASA-2019-00542
Identifier(s)
ASA-2019-00542, CVE-2019-14745
Title
Command injection in bin_symbols()
Vendor(s)
The radare2 project
Product(s)
radare2
Affected version(s)
radare2 before version 3.7.0
Fixed version(s)
radare2 version 3.7.0
Proof of concept
Yes
Description
In radare2 before 3.7.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it’s possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to improper handling of symbol names embedded in executables.
Technical details
By replacing a symbol name like gethostname
with:
`! <cmd>`
using r2
or a hex editor, it becomes possible to provide an arbitrary shell command within a binary. Since it’s quite common to analyse and debug untrusted and malicious binaries, this seems like a great attack scenario since this is largely invisible for potential victims. Also, the shell command doesn’t even get printed into the console after it has been executed:
|ERROR| Invalid command 'f sym.imp.p 99`AAAAAAAAAAA 16 0x557aa086c000' (0x66)
No sign of the sleep
command. The function that’s executing r_core_cmd0(core, ".is*")
internally is called r_core_file_reopen_debug()
. This is invoked by the ood
command.
r2 -c "ood" -d /tmp/hax
--> PWNED
Credits
ps1337 and blenk92
Reference(s)
r2con 2019 PwnDebian Challenge: Exploiting radare2 (CVE-2019-14745)
https://bananamafia.dev/post/r2-pwndebian/
bin_symbols: Add quoting #14690
https://github.com/radareorg/radare2/pull/14690
bin_symbols: Add quoting (#14690)
https://github.com/radareorg/radare2/commit/7d30ff52fc1be6f9698b166107b8981eab6ec7ba
Demangle relocs and add asm.flags.{inline|limit|maxname} ##disasm
https://github.com/radareorg/radare2/commit/5ecd4c352bae1114730321fec2bde72332f8f090
GitHub – ps1337/r2-pwndebian-exploits
https://github.com/ps1337/r2-pwndebian-exploits
ASA-2019-00543 – radare2: Command injection in bin_symbols()
https://allelesecurity.com/asa-2019-00543/
CVE-2019-14745
https://security-tracker.debian.org/tracker/CVE-2019-14745
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14745.html
CVE-2019-14745
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14745
CVE-2019-14745
https://nvd.nist.gov/vuln/detail/CVE-2019-14745
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: September 26, 2019