Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-26475 PoC — radare2 安全漏洞

Source
https://github.com/TronciuVlad/CVE-2024-26475
Associated Vulnerability
Title:radare2 安全漏洞 (CVE-2024-26475)
Description:radare2是一套用于处理二进制文件的库和工具。 radare2 v.0.9.7 到 v.5.8.6版本存在安全漏洞,该漏洞源于允许本地攻击者通过 grub_sfs_read_extent 函数造成拒绝服务。
Description
An issue in radareorg radare2 v.0.9.7 through v.5.8.6 and fixed in v.5.8.8 allows a local attacker to cause a denial of service via the grub_sfs_read_extent function.
Readme
# CVE-2024-26475

## Authors
Sherlock Fang, Vlad Tronciu, Ayam Babu

## Description
An issue in radareorg radare2 v.0.9.7 through v.5.8.6 and fixed in v.5.8.8 allows a local attacker to cause a denial of service via the grub_sfs_read_extent function.

## Attack Vectors
Crafting a payload to cause “treeblock = grub_malloc(data->blocksize);” points to NULL in memory, so that when the value of “treeblock” is assigned to “tree = (struct grub_sfs_btree *) treeblock;”, “treeblock” also points to NULL. The extent of exploitability depends on specific contexts, but such a null pointer dereference vulnerability would cause the program a defial of service, which affects the overall program performance.

## Explanation of Vulnerability
Inside function grub_sfs_read_extent there exists a security vulnerability due to the lack of a check for the state of tree_block. The subsequent code proceeds to use tree_block without verifying that it points to a valid memory allocation. This will lead to the dereference of a NULL pointer when the tree is assgned the value of treeblock cast to a struct grub_sfs_btree* and then used in the call to grub_disk_read. Dereferencing a NULL pointer us undefined behaviour in C and typically results in a segmentation fault or access violation, causing the program to crash.

[<img width="500" alt="image" src="https://github.com/TronciuVlad/CVE-2024-26475/blob/main/vulnerable_function.png">](https://github.com/TronciuVlad/CVE-2024-26475/blob/main/vulnerable_function.png)

## Solution

We fixed the vulnerability by adding a check of the allocation state of grub_malloc, as shown below.

[<img width="500" alt="image" src="https://github.com/TronciuVlad/CVE-2024-26475/blob/main/solution.png">](https://github.com/TronciuVlad/CVE-2024-26475/blob/main/solution.png)

## References
https://cwe.mitre.org/data/definitions/476.html
<br>
https://github.com/radareorg/radare2/issues/22586
<br>
https://github.com/radareorg/radare2/commit/8419d7d0cbe61c687dcb8a35de0acccb2ee4c220
File Snapshot

 [4.0K]  /data/pocs/419ff3c4e24ca2ed1820df3ec080af2b8318b5a1
├── [ 14K]  patched_sfs.c
├── [2.0K]  README.md
├── [ 12K]  solution.png
├── [ 45K]  vulnerable_function.png
└── [ 14K]  vulnerable_sfs.c

0 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.