ANSI Escape Sequence Injection in radareorg/radare2

Valid

Reported on

Jan 2nd 2023


Description

Injection of escape sequences opens up the possibility for concealing / modifying viewed data, and code execution (as some esc seqs feed data back to stdin).

Proof of Concept

poc

So far, the places I managed to find a successful injection are:

  • when running id from the file name
  • func signature in hex dump in visual mode
  • func signature in disassembly and comment in disassembly
  • func signature in location search (_ in visual mode)

In the poc it is demonstrated by a change in color.

Environment

radare2 5.8.1 29949 @ linux-x86-64 git.5.8.0-65-g1100e12169 commit: 1100e12169dbdbe10081d4094129a5247738ecb1

tested in gnome-terminal

Impact

Tampering with the displayed data, and possibly code execution.

We are processing your report and will contact the radareorg/radare2 team within 24 hours. 9 months ago
We have contacted a member of the radareorg/radare2 team and are waiting to hear back 9 months ago
pancake
9 months ago

Maintainer


First of all thanks for such a neat test case and great reproducer you built in there :) also, sorry for the delay, i fall asleep before pushing the fixes, but i took some few more time today to test it further and fix other corner cases.

Sanitizing ansi chars is kind of difficult and affects many console applications, so handling this properly is a little tricky.

Let me push the PR and link it in here! Good findings! I plan to release 5.8.2 next week. That patch will be included in that release. Let me know if you find other corners i didn't covered

thanks!

pancake
9 months ago

Maintainer


Here's the fix .ill merge when the CI finishes https://github.com/radareorg/radare2/pull/21231

solid-snail
9 months ago

Researcher


Didn't get to test it yet, so correct me if I'm wrong, but I think that if there are two consecutive escape sequences the second one would remain. Other than that looks great :)

Also, just wandering, why not just eliminate the escape character? It'd be less complex and would catch more kinds of sequences (like checksum and cursor up I believe?).

pancake
8 months ago

Maintainer


Should be fixed now, please confirm and ill close the ticket

solid-snail
8 months ago

Researcher


Confirm!

Awesome job 👍

pancake validated this vulnerability 8 months ago
solid-snail has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pancake marked this as fixed in 5.8.2 with commit 961f0e 8 months ago
pancake has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jan 15th 2023
pancake
8 months ago

Maintainer


Let me know if you find any other way to inject escape chars on unfiltered printed things in r2land :) thank you!

pancake published this vulnerability 8 months ago
to join this conversation