R Buffer Overflow Vulnerability in GUI Preferences Language Field Allowing Arbitrary Code Execution

A local buffer overflow vulnerability has been identified in R version 3.4.4. This vulnerability allows attackers to execute arbitrary code by injecting malicious input into the GUI Preferences language field. Exploitation involves crafting a payload with a 292-byte offset and a JMP ESP instruction, which can be used to execute commands such as calc.exe when the payload is pasted into the 'Language for menus and messages' field.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected system.

Reproduction

To reproduce this vulnerability, first generate a payload using msfvenom that executes calc.exe, ensuring to encode it with x86/alpha_upper to avoid null bytes. The payload should be crafted to include a 292-byte buffer overflow followed by the JMP ESP instruction from user32.dll, which redirects execution to the injected payload. Once the exploit file is created, open the R application and navigate to 'Gui Preferences' under the 'Edit' menu. Paste the payload into the 'Language for menus and messages' field and click 'OK'. This will trigger the buffer overflow and execute the injected command.