Fix command injection on PDB download #16966
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
GustavoLCR
requested review from
radare,
ret2libc,
thestr4ng3r,
XVilka and
yossizap
as code owners
|
Seems to fail more often: |
ret2libc
reviewed
May 29, 2020
GustavoLCR
force-pushed
the
fix-pdb-cmd-inj
branch
7 times, most recently
from
933f615 to
2184566
Compare
@ret2libc updated pr description with test steps. Also, newshell is failing this: |
GustavoLCR
force-pushed
the
fix-pdb-cmd-inj
branch
4 times, most recently
from
588ce77 to
1bb5d69
Compare
XVilka
approved these changes
Jun 1, 2020
4 tasks
ret2libc
suggested changes
Jun 1, 2020
GustavoLCR
force-pushed
the
fix-pdb-cmd-inj
branch
from
1bb5d69 to
930b445
Compare
GustavoLCR
force-pushed
the
fix-pdb-cmd-inj
branch
2 times, most recently
from
8840369 to
c4e2872
Compare
ret2libc
reviewed
Jun 3, 2020
* Also follow redirects
* Fix socket being created without a protocol
* Use select() in r_socket_ready() * Fix read failing if received only protocol answer * Fix double-free
GustavoLCR
force-pushed
the
fix-pdb-cmd-inj
branch
from
c4e2872 to
cf7bf20
Compare
ret2libc
suggested changes
Jun 5, 2020
| @@ -191,6 +151,19 @@ void deinit_pdb_downloader(SPDBDownloader *pd) { | |||
| pd->download = 0; | |||
| } | |||
|
|
|||
| static bool is_valid_guid(const char *guid) { | |||
There was a problem hiding this comment.
GUID are 32 chars long, aren't they? I'm not sure this function works correctly.
e.g.:
is_valid_guid('12345678901234567890123456789012') should be true
is_valid_guid('123456789012345678901234567890123') should be false
I think that currently this function does not return the right values.
There was a problem hiding this comment.
tested it, function works correctly
There was a problem hiding this comment.
Mmm, for me it doesn't. I'm using this test, where is_valid_guid is copied-pasted from your PR.
#include <stdio.h>
#include <stdbool.h>
#include <ctype.h>
static bool is_valid_guid(const char *guid) {
if (!guid) {
return false;
}
size_t i;
for (i = 0; guid[i] && i <= 33 ; i++) {
if (!isxdigit (guid[i])) {
return false;
}
}
return i == 33;
}
static void test_s(const char *s) {
if (is_valid_guid (s)) {
printf("'%s' is valid guid\n", s);
} else {
printf("'%s' is NOT valid guid\n", s);
}
}
int main(int argc, char **argv) {
test_s("12345678901234567890123456789012");
test_s("123456789012345678901234567890123");
return 0;
}If I run this program, it says:
'12345678901234567890123456789012' is NOT valid guid
'123456789012345678901234567890123' is valid guid
but the expected output is:
'12345678901234567890123456789012' is valid guid
'123456789012345678901234567890123' is NOT valid guid
Please let me know if I'm missing something.
There was a problem hiding this comment.
turns out guid string has appended to it the "age", so assuming it even has a fixed length was wrong, fixed it now
There was a problem hiding this comment.
mh, that looks weird, but it seems it is something a bit more deeper in the existing code. Guid are 32 chars AFAIK. Nevermind.
* Use r_socket_http_get() on UNIXs * Use WinINet API on Windows for r_socket_http_get() * Fix command injection
* Remove 'r_' and '__' from static function names
GustavoLCR
force-pushed
the
fix-pdb-cmd-inj
branch
from
01f3c5a to
a6221f8
Compare
XVilka
approved these changes
Jun 8, 2020
ret2libc
reviewed
Jun 8, 2020
ret2libc
reviewed
Jun 8, 2020
ret2libc
reviewed
Jun 8, 2020
ret2libc
suggested changes
Jun 8, 2020
trufae
requested changes
Jun 8, 2020
ret2libc
approved these changes
Jun 10, 2020
trufae
approved these changes
Jun 10, 2020
TrustMeIm0xDolphin
pushed a commit
to TrustMeIm0xDolphin/radare2
that referenced
this pull request
Jul 12, 2020
* Fix r_sys_mkdirp with absolute path on Windows * Fix build with --with-openssl * Use RBuffer in r_socket_http_answer() * r_socket_http_answer: Fix read for big responses * Implement r_str_escape_sh() * Cleanup r_socket_connect() on Windows * Fix socket being created without a protocol * Fix socket connect with SSL ##socket * Use select() in r_socket_ready() * Fix read failing if received only protocol answer * Fix double-free * r_socket_http_get: Fail if req. SSL with no support * Follow redirects in r_socket_http_answer() * Fix r_socket_http_get result length with R2_CURL=1 * Also follow redirects * Avoid using curl for downloading PDBs * Use r_socket_http_get() on UNIXs * Use WinINet API on Windows for r_socket_http_get() * Fix command injection * Fix r_sys_cmd_str_full output for binary data * Validate GUID on PDB download * Pass depth to socket_http_get_recursive() * Remove 'r_' and '__' from static function names * Fix is_valid_guid * Fix for comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Your checklist for this pull request
Detailed description
Reported in #16945, this fixes specifically the vulnerability while downloading a PDB by avoiding calling
curlthrough a command and usingradare2's own http request API, and in case of downloads from https servers with no SSL suport from the r2 api or when extracting compressed PDBs, properly escaping the PDB name with single-quotes (double-quotes on Windows).This includes fixes to compiling
radare2with SSL support (--with-openssl), and fixes the handshake process not being executed while connecting with SSL.Also, now r_socket_http_get() will follow redirects automatically.
Test plan
idpd(works)idpd(fails because no SSL support)%R2_CURL=1idpd(works)idpd,pwnedfile should not get created=hto run httpserver and in another terminal, connect to it.