Radare2 Use-After-Free Vulnerability in Radiff2 Component

A use-after-free vulnerability has been identified in Radare2 version 5.9.9, specifically within the radiff2 component. The issue arises in the r_cons_flush function, located in the /libr/cons/cons.c library. This vulnerability is triggered by manipulating the experimental '-T' argument, leading to memory being accessed after it has been freed. The vulnerability requires local access to exploit and has been publicly disclosed, with an exploit available. However, the existence of this vulnerability is currently disputed.

Impact

Exploitation of this vulnerability causes a heap-based use-after-free error, which can lead to memory corruption. The vulnerability has been shown to be exploitable, with a public proof-of-concept available.

Reproduction

The vulnerability can be reproduced by compiling Radare2 with AddressSanitizer enabled, which helps detect memory corruption issues. After compiling and installing Radare2, the radiff2 tool can be run with the '-T' option, which is known to be experimental and 'crashy'. This triggers the use-after-free vulnerability by causing the r_cons_flush function to read freed memory, leading to a crash and an AddressSanitizer error indicating a heap-use-after-free condition.

Remediation

Users are advised to update to the latest version of Radare2, where this vulnerability has been patched. The patch is available on the official Radare2 GitHub repository.