Radare2 NULL Pointer Dereference Vulnerability in NE Binary Parser Causes Denial-of-Service

A NULL pointer dereference vulnerability exists in radare2 versions through 6.0.5, specifically within the info() function of the bin_ne.c file. This vulnerability can be triggered by processing crafted NE binaries, leading to a segmentation fault and causing a denial-of-service condition. The issue arises because the info() function improperly handles certain malformed binary inputs, dereferencing a NULL pointer during string manipulation operations. This flaw has been confirmed to cause a crash when the tool is run with AddressSanitizer enabled.

Impact

Exploitation of this vulnerability leads to a segmentation fault, causing radare2 to crash. This has been verified using AddressSanitizer, which reported a NULL pointer being dereferenced, a runtime error that typically indicates a serious issue in the code.

Reproduction

The vulnerability can be reproduced by using radare2 to open a crafted NE binary file that triggers the NULL pointer dereference. This can be done by running radare2 with the AddressSanitizer option enabled, which will catch the segmentation fault caused by the vulnerability.

Remediation

Users can upgrade to radare2 version 6.0.6 or later, where this vulnerability has been fixed. The patch involves adding a NULL check in the bin_ne.c file before accessing certain fields in the info() function.