ANSI Escape Sequence Injection in radareorg/radare2
Reported on
Jan 2nd 2023
Description
Injection of escape sequences opens up the possibility for concealing / modifying viewed data, and code execution (as some esc seqs feed data back to stdin).
Proof of Concept
So far, the places I managed to find a successful injection are:
- when running
id
from the file name - func signature in hex dump in visual mode
- func signature in disassembly and comment in disassembly
- func signature in location search (
_
in visual mode)
In the poc it is demonstrated by a change in color.
Environment
radare2 5.8.1 29949 @ linux-x86-64 git.5.8.0-65-g1100e12169 commit: 1100e12169dbdbe10081d4094129a5247738ecb1
tested in gnome-terminal
Impact
Tampering with the displayed data, and possibly code execution.
First of all thanks for such a neat test case and great reproducer you built in there :) also, sorry for the delay, i fall asleep before pushing the fixes, but i took some few more time today to test it further and fix other corner cases.
Sanitizing ansi chars is kind of difficult and affects many console applications, so handling this properly is a little tricky.
Let me push the PR and link it in here! Good findings! I plan to release 5.8.2 next week. That patch will be included in that release. Let me know if you find other corners i didn't covered
thanks!
Here's the fix .ill merge when the CI finishes https://github.com/radareorg/radare2/pull/21231
Didn't get to test it yet, so correct me if I'm wrong, but I think that if there are two consecutive escape sequences the second one would remain. Other than that looks great :)
Also, just wandering, why not just eliminate the escape character? It'd be less complex and would catch more kinds of sequences (like checksum and cursor up I believe?).
Should be fixed now, please confirm and ill close the ticket
Let me know if you find any other way to inject escape chars on unfiltered printed things in r2land :) thank you!