*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Marc Deslauriers (mdeslaur):
Impact Malformed PDB file names in the PDB server path cause shell injection. To trigger the problem it's required to open the executable in radare2 and run idpd to trigger the download. The shell code will execute, and will create a file called pwned in the current directory. Patches Problem has been patched in 4.5.0 version in the following commit: 04edfa8 Workarounds Set up `e bin.dbginfo=false` in `$HOME/.config/radare2/radare2rc` to disable PDB autoloading and do not use `idpd` manually The file triggering error is attached here https://github.com/radareorg/radare2/files/4673454/ConsoleApplication1.zip (password is infected) - An issue report: https://github.com/radareorg/radare2/issues/16945 - A pull request with a fix: https://github.com/radareorg/radare2/pull/16966 - A security advisory https://github.com/radareorg/radare2/security/advisories/GHSA-r552-vp94-9358 - Registered CVE https://nvd.nist.gov/vuln/detail/CVE-2020-15121 ** Affects: radare2 (Ubuntu) Importance: Undecided Status: New ** Tags: community-security -- Radare2 <4.5.0 - Command injection during opening PE file with malformed debug symbol information (PDB) - `idpd` command https://bugs.launchpad.net/bugs/1888338 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
