Allele Security Alert
ASA-2019-00543
Identifier(s)
ASA-2019-00543, CVE-2019-16718
Title
Command injection in bin_symbols()
Vendor(s)
The radare2 project
Product(s)
radare2
Affected version(s)
radare2 before version 3.9.0
Fixed version(s)
radare2 version 3.9.0
Proof of concept
Yes
Description
In radare2 before 3.9.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it’s possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to an insufficient fix for ASA-2019-00542 and improper handling of symbol names embedded in executables.
Technical details
It is still possible to do injection through is* using a symbol name containing a (“) and other cases.
Credits
Unknown
Reference(s)
Refactor is* and fix Injection harder #14797
https://github.com/radareorg/radare2/pull/14797
More fixes for the CVE-2019-14745
https://github.com/radareorg/radare2/commit/5411543a310a470b1257fb93273cdd6e8dfcb3af
Fix #14990 – multiple quoted command parsing issue ##core
https://github.com/radareorg/radare2/commit/dd739f5a45b3af3d1f65f00fe19af1dbfec7aea7
Quote command parsing issue #14990
https://github.com/radareorg/radare2/issues/14990
Forbid backticks in flagnames #14701
https://github.com/radareorg/radare2/issues/14701
Replace backticks with _ in symbol, reloc and import names
https://github.com/blenk92/radare2/commit/e90c37c100b314abe7f203696160f47eb8de7c3f
ASA-2019-00542 – radare2: Command injection in bin_symbols()
https://allelesecurity.com/asa-2019-00542
CVE-2019-16718
https://security-tracker.debian.org/tracker/CVE-2019-16718
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16718.html
CVE-2019-16718
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16718
CVE-2019-16718
https://nvd.nist.gov/vuln/detail/CVE-2019-16718
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: September 26, 2019