radare2 Command Injection Vulnerability in PDB Parser

A command injection vulnerability has been identified in radare2 versions prior to 6.1.4. The issue arises in the PDB parser's print_gvars() function, where the raw symbol names from PDB files are improperly sanitized before being interpolated into command flags. This allows attackers to execute arbitrary commands by crafting malicious PDB files with newline characters in the symbol names. When the idp command is executed on the affected PDB file, the injected commands are executed, leading to arbitrary operating system command execution via radare2's shell execution operator.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the operating system where radare2 is running.

Reproduction

To reproduce this vulnerability, create a PDB file with symbol names that include newline characters. Then, load this PDB file into radare2 using the command 'r2 target.exe', and execute the 'idp' command. The injected commands will be executed, demonstrating the command injection vulnerability.

Remediation

Users can upgrade to radare2 version 6.1.4 or later, where this vulnerability has been fixed.