radare2 Path Traversal Vulnerability in Project Notes Handling

A path traversal vulnerability has been identified in radare2 versions prior to 6.1.4. This vulnerability arises in the project's notes management, allowing attackers to read or write files outside the designated project directory. The issue is exploited by importing a malicious .zrp archive that contains a symlinked notes.txt file. The crafted archive can bypass directory confinement checks, enabling note operations to follow the symlink and access arbitrary files outside the project's root directory.

Impact

Exploitation of this vulnerability allows for unauthorized access to files outside the configured project directory, potentially leading to the disclosure of sensitive information or unauthorized modification of files.

Reproduction

To reproduce this vulnerability, create a .zrp archive that includes a symlinked notes.txt file. The symlink should point to a file outside the project's root directory. Once the archive is prepared, import it into radare2 using the project notes feature. The application will follow the symlink and access the file outside the designated directory, demonstrating the path traversal vulnerability.

Remediation

Users can update to radare2 version 6.1.4 or later, where this vulnerability has been addressed.