Command injection in Radare2

In radare2 before version 4.5.0, malformed PDB file names in the PDB server path cause shell injection. To trigger the problem it's required to open the executable in radare2 and run idpd to trigger the download. The shell code will execute, and will create a file called pwned in the current directory.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

radare2 操作系统命令注入漏洞

radare2是一套用于处理二进制文件的库和工具。 radare2 4.5.0之前版本中存在操作系统命令注入漏洞。攻击者可利用该漏洞执行shell代码并在当前目录中创建文件。

N/A

N/A