Ubuntu
radare2 package

Radare2 <4.5.0 - Command injection during opening PE file with malformed debug symbol information (PDB) - `idpd` command

Bug #1888338 reported by XVilka
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
radare2 (Ubuntu)
Fix Committed
Undecided
Unassigned

Bug Description

Impact

Malformed PDB file names in the PDB server path cause shell injection. To trigger the problem it's required to open the executable in radare2 and run idpd to trigger the download. The shell code will execute, and will create a file called pwned in the current directory.
Patches

Problem has been patched in 4.5.0 version in the following commit: 04edfa8

Workarounds

Set up `e bin.dbginfo=false` in `$HOME/.config/radare2/radare2rc` to disable PDB autoloading and do not use `idpd` manually

The file triggering error is attached here https://github.com/radareorg/radare2/files/4673454/ConsoleApplication1.zip (password is infected)

- An issue report: https://github.com/radareorg/radare2/issues/16945
- A pull request with a fix: https://github.com/radareorg/radare2/pull/16966
- A security advisory https://github.com/radareorg/radare2/security/advisories/GHSA-r552-vp94-9358
- Registered CVE https://nvd.nist.gov/vuln/detail/CVE-2020-15121

CVE References

Revision history for this message
XVilka (xvilka) wrote :

See also https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889

Revision history for this message
XVilka (xvilka) wrote :

Any updates? I should have made this bug public.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

tags: added: community-security
information type: Private Security → Public Security
Changed in radare2 (Ubuntu):
status: New → Confirmed
Lenin (gagarin)
Changed in radare2 (Ubuntu):
status: Confirmed → Fix Committed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.