Command injection across r_sys_cmd* #16945
Description
Work environment
| Questions | Answers |
|---|---|
| OS/arch/bits (mandatory) | N/A |
| File format of the file you reverse (mandatory) | PE |
| Architecture/bits of the file (mandatory) | N/A |
| r2 -v full output, not truncated (mandatory) | >= radare2 f9048c2 |
Expected behavior
idpd does not cause untrusted code execution on my system.
Actual behavior
Malformed PDB file names in the PDB server path cause shell injection via the following codepath:
https://github.com/radareorg/radare2/blob/master/libr/bin/pdb/pdb_downloader.c#L93-L99
In effect, $(...) is not escaped properly, causing this issue. Note that this is not an isolated case in the code base, grep for r_sys_cmdf or r_sys_cmd for more potential attack vectors.
Steps to reproduce the behavior
Open the executable in radare2 and run idpd to trigger the download. The shell code will execute, and will create a file called pwned in the current directory.
Additional Logs, screenshots, source-code, configuration dump, ...
I have just used a hex editor to patch the dbg_file to $(touch pwned) in a PE file from the radare2-testbins repository.
ConsoleApplication1.zip (password is infected)
The example above is specific to the PDB downloader, but more investigation is required to uncover all the possible attack vectors in the radare2 code-base.