ANSI Escape Sequence Injection in radareorg/radare2

Valid

Reported on

Jan 2nd 2023

Description

Injection of escape sequences opens up the possibility for concealing / modifying viewed data, and code execution (as some esc seqs feed data back to stdin).

Proof of Concept

poc

So far, the places I managed to find a successful injection are:

when running id from the file name
func signature in hex dump in visual mode
func signature in disassembly and comment in disassembly
func signature in location search (_ in visual mode)

In the poc it is demonstrated by a change in color.

Environment

radare2 5.8.1 29949 @ linux-x86-64 git.5.8.0-65-g1100e12169 commit: 1100e12169dbdbe10081d4094129a5247738ecb1

tested in gnome-terminal

Impact

Tampering with the displayed data, and possibly code execution.

We are processing your report and will contact the radareorg/radare2 team within 24 hours. 9 months ago

We have contacted a member of the radareorg/radare2 team and are waiting to hear back 9 months ago

pancake

commented 9 months ago

Maintainer

First of all thanks for such a neat test case and great reproducer you built in there :) also, sorry for the delay, i fall asleep before pushing the fixes, but i took some few more time today to test it further and fix other corner cases.

Sanitizing ansi chars is kind of difficult and affects many console applications, so handling this properly is a little tricky.

Let me push the PR and link it in here! Good findings! I plan to release 5.8.2 next week. That patch will be included in that release. Let me know if you find other corners i didn't covered

thanks!

pancake

commented 9 months ago

Maintainer

Here's the fix .ill merge when the CI finishes https://github.com/radareorg/radare2/pull/21231

solid-snail

commented 9 months ago

Researcher

Didn't get to test it yet, so correct me if I'm wrong, but I think that if there are two consecutive escape sequences the second one would remain. Other than that looks great :)

Also, just wandering, why not just eliminate the escape character? It'd be less complex and would catch more kinds of sequences (like checksum and cursor up I believe?).

pancake

commented 8 months ago

Maintainer

Should be fixed now, please confirm and ill close the ticket

solid-snail

commented 8 months ago

Researcher

Confirm!

Awesome job 👍

pancake validated this vulnerability 8 months ago

solid-snail has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

pancake marked this as fixed in 5.8.2 with commit 961f0e 8 months ago

pancake has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Jan 15th 2023

pancake

commented 8 months ago

Maintainer

Let me know if you find any other way to inject escape chars on unfiltered printed things in r2land :) thank you!

pancake published this vulnerability 8 months ago

to join this conversation

We are processing your report and will contact the radareorg/radare2 team within 24 hours. 9 months ago

We have contacted a member of the radareorg/radare2 team and are waiting to hear back 9 months ago

pancake

commented 9 months ago

Maintainer

Sanitizing ansi chars is kind of difficult and affects many console applications, so handling this properly is a little tricky.

Let me push the PR and link it in here! Good findings! I plan to release 5.8.2 next week. That patch will be included in that release. Let me know if you find other corners i didn't covered

thanks!

pancake

commented 9 months ago

Maintainer

Here's the fix .ill merge when the CI finishes https://github.com/radareorg/radare2/pull/21231

solid-snail

commented 9 months ago

Researcher

Didn't get to test it yet, so correct me if I'm wrong, but I think that if there are two consecutive escape sequences the second one would remain. Other than that looks great :)

Also, just wandering, why not just eliminate the escape character? It'd be less complex and would catch more kinds of sequences (like checksum and cursor up I believe?).

pancake

commented 8 months ago

Maintainer

Should be fixed now, please confirm and ill close the ticket

solid-snail

commented 8 months ago

Researcher

Confirm!

Awesome job 👍

pancake validated this vulnerability 8 months ago

solid-snail has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

pancake marked this as fixed in 5.8.2 with commit 961f0e 8 months ago

pancake has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Jan 15th 2023

pancake

commented 8 months ago

Maintainer

Let me know if you find any other way to inject escape chars on unfiltered printed things in r2land :) thank you!

pancake published this vulnerability 8 months ago

to join this conversation