CVE-2020-15121
Command injection in Radare2
In short
Radare2 fails to properly validate PDB file names when downloading debug information, allowing attackers to execute arbitrary shell commands by crafting a malicious PDB server path. This happens when opening a specially crafted executable and running the debug download feature.
Technical detail
Command injection vulnerability in radare2's PDB server path handling (CWE-78) occurs when user-controlled file names from the PDB server are passed unsanitized to shell execution. Exploitation requires the victim to open a malicious executable and execute the idpd command, leading to arbitrary code execution in the context of the radare2 process.
Summary generated and translated by AI from the official description.
In radare2 before version 4.5.0, malformed PDB file names in the PDB server path cause shell injection. To trigger the problem it's required to open the executable in radare2 and run idpd to trigger the download. The shell code will execute, and will create a file called pwned in the current directory.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Affected products
radareorg · radare2Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/radareorg/radare2/commit/04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9https://github.com/radareorg/radare2/issues/16945https://github.com/radareorg/radare2/pull/16966https://github.com/radareorg/radare2/security/advisories/GHSA-r552-vp94-9358https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWC7KNBETYE5MK6VIUU26LUIISIFGSBZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YE77P5RSE2T7JHEKMWF2ARTSJGMPXCFY/