Radare2 Use-After-Free Vulnerability in GDB Remote Debugging

A use-after-free vulnerability has been identified in Radare2 version 6.1.5, specifically within the 'gdbr_threads_list()' function. This vulnerability allows remote attackers to cause memory corruption by sending a valid 'qfThreadInfo' response followed by a malformed 'qsThreadInfo' response. Exploitation of this vulnerability can lead to a denial-of-service condition or potentially allow for code execution by manipulating the processing of the thread list during GDB remote debugging.

Impact

Exploitation of this vulnerability can cause memory corruption, leading to a denial-of-service condition or potentially allowing for code execution by manipulating thread list processing.

Reproduction

The vulnerability can be reproduced by running a server that sends a valid 'qfThreadInfo' response followed by a malformed 'qsThreadInfo' response. This can be done using a Python script named 'uaf.py', which is available as an attachment on the GitHub issue discussing this vulnerability. After starting the server, connect Radare2 to a GDB server using the command './bin/radare2/radare2 -e dbg.exe.path=/bin/ls -d gdb://localhost:1234'.

Remediation

Users can upgrade to Radare2 version 6.1.6 or later, where this vulnerability has been patched.