radare2 Command Injection Vulnerability via DWARF Parameter Names

A command injection vulnerability has been identified in radare2 versions prior to commit bc5a890. This issue arises in the afsv/afsvj command path, where specially crafted ELF binaries can include malicious radare2 command sequences embedded in DWARF parameter names. When radare2 analyzes such a binary and the afsvj command is executed, the embedded shell commands are executed as well. This exploitation is made possible by the unsanitized interpolation of these parameter names into the pfq command string, allowing arbitrary shell command execution.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host system where radare2 is run.

Reproduction

To reproduce this vulnerability, first create an ELF binary that includes malicious shell commands embedded in the DWARF parameter names as DW_TAG_formal_parameter names. Once this binary is crafted, analyze it with radare2 using the 'aaa' command to perform analysis. After the analysis is complete, run the 'afsvj' command, which will trigger the execution of the embedded shell commands due to the command injection vulnerability.

Remediation

Users can update to the latest version of radare2, which includes the necessary fix for this vulnerability.