ANSI Escape Sequence Injection in radareorg/radare2
Jan 2nd 2023
Injection of escape sequences opens up the possibility for concealing / modifying viewed data, and code execution (as some esc seqs feed data back to stdin).
Proof of Concept
So far, the places I managed to find a successful injection are:
- when running
idfrom the file name
- func signature in hex dump in visual mode
- func signature in disassembly and comment in disassembly
- func signature in location search (
_in visual mode)
In the poc it is demonstrated by a change in color.
radare2 5.8.1 29949 @ linux-x86-64 git.5.8.0-65-g1100e12169 commit: 1100e12169dbdbe10081d4094129a5247738ecb1
tested in gnome-terminal
Tampering with the displayed data, and possibly code execution.