radare2 Command Injection Vulnerability in PDB Download via rabin2

A command injection vulnerability has been identified in radare2 versions prior to 9236f44, when built on UNIX without SSL support. The issue arises in the PDB download process, where user-controlled PDB filenames are passed to 'rabin2 -PP' and injected into a shell command. This command is then executed, leading to the execution of arbitrary commands. The vulnerability was introduced in a commit that added a curl-based fallback for PDB downloads without SSL, allowing for exploitation by crafting a PDB filename that breaks out of the expected format.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the user's system.

Reproduction

To reproduce this vulnerability, build radare2 in a configuration without SSL support. Then, use 'rabin2 -PP' on a crafted PE file whose PDB filename includes a section with single quotes, such as 'evil' ; <malicious commands> ; echo '.pdb'. The injected commands will execute during the PDB download process.

Remediation

Users can update to radare2 version 6.1.4, which addresses this vulnerability.