#VU33002 Command Injection in radare2 - CVE-2019-14745
Published: August 7, 2019 / Updated: August 3, 2020
Vulnerability identifier: #VU33002
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-14745
CWE-ID: CWE-77
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
radare2
radare2
Software vendor:
Radare
Radare
Description
The vulnerability allows a local non-authenticated attacker to execute arbitrary code.
In radare2 before 3.7.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it's possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to improper handling of symbol names embedded in executables.
Remediation
Install update from vendor's website.
External links
- https://bananamafia.dev/post/r2-pwndebian/
- https://github.com/radare/radare2/pull/14690
- https://github.com/radare/radare2/releases/tag/3.7.0
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ETWG4VKHWL5F74L3QBBKSCOXHSRNSRRT/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MGA2PVBFA6VPWWLMBGWVBESHAJBQ7OXJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQO7V37RGQEKZDLY2JYKDZTLNN2YUBC5/