Impact
rizin.c still had an old snippet of code which suffered a command injection due the usage of rz_core_cmdf to invoke the command m which was removed in v0.1.x.
A malicious binary defining bclass (part of RzBinInfo), can execute a command, if the same binary sets rclass (part of RzBinInfo) to fs; the vulnerability can be exploited by any bin format where bclass and rclass are user defined.
Patches
Fixed in via db6c5b3
References
|
if (r->bin->cur && r->bin->cur->o && r->bin->cur->o->info && r->bin->cur->o->info->rclass && !strcmp("fs", r->bin->cur->o->info->rclass)) { |
|
const char *fstype = r->bin->cur->o->info->bclass; |
|
rz_core_cmdf(r, "m /root %s @ 0", fstype); |
|
} |
ifyGecko Finder
Impact
rizin.cstill had an old snippet of code which suffered a command injection due the usage ofrz_core_cmdfto invoke the commandmwhich was removed in v0.1.x.A malicious binary defining
bclass(part of RzBinInfo), can execute a command, if the same binary setsrclass(part of RzBinInfo) tofs; the vulnerability can be exploited by any bin format wherebclassandrclassare user defined.Patches
Fixed in via db6c5b3
References
rizin/librz/main/rizin.c
Lines 1275 to 1278 in be24ca8