in radareorg/radare2

2021-12-3012:32:03

occia

www.huntr.dev

vulnerability

radare2-5.5.4

out-of-bound read

buffer

crash

dos attack

rce

EPSS

0.001

Percentile

47.5%

JSON

Description

This vulnerability is of out-of-bound read. The bug exists in latest stable release (radare2-5.5.4). Specifically, the vulnerable code is picked out as follows:

//  libr/util/buf.c line 631
R_API void r_buf_fini(RBuffer *b) {
...
// the pointer address of b-&gt;methods is broken
if (b-&gt;methods-&gt;get_whole_buf) {
...

Proof of Concept

Build the radare2 5.5.4, download the POC_FILE. Then run

# trigger the crash
radare2 -A -q POC_FILE

The crash stack information is:

#0  0x00007ffff7e33e7d in r_buf_fini (b=0x5555558f2d20)
    at buf.c:631
#1  r_buf_free (b=0x5555558f2d20) at buf.c:643
#2  0x00007ffff6224872 in r_bin_file_free (_bf=0x5555558f2680)
    at bfile.c:733
#3  0x00007ffff7e3af29 in r_list_delete (list=0x5555558068e0,
    iter=0x5555558f2900) at list.c:123
#4  r_list_purge (list=0x5555558068e0) at list.c:89
#5  r_list_free (list=0x5555558068e0) at list.c:99
#6  0x00007ffff6210d12 in r_bin_free (bin=0x5555558072a0)
    at bin.c:469
#7  0x00007ffff6563a86 in r_core_fini (c=0x555555761ce0)
    at core.c:3096
#8  0x00007ffff6563bef in r_core_free (c=c@entry=0x555555761ce0)
    at core.c:3123
#9  0x00007ffff7da1ac5 in r_main_radare2 (argc=4,
    argv=&lt;optimized out&gt;) at radare2.c:1554
#10 0x00007ffff7bb20b3 in __libc_start_main ()
   from /lib/x86_64-linux-gnu/libc.so.6
#11 0x00005555555562ae in _start ()

Impact

The POC attached here can be directly used to launch DoS attack. Besides, it is possible for the attacker to finally accomplish RCE (Remote Code Execution) if the broken pointer address (b->methods) can be further exploited (need more investigation).