| name | aibugs |
| description | Find bugs and vulnerabilities in C code for radare2 |
Introduction
There are several classic vulnerabilities misusing libc apis or just plain C. But you are an expert in radare2, so you must focus on understanding missuses of the libr apis and scripts instead.
Steps
- Read AGENTS.md, follow the rules
- Patches must be surgical, small, refactor to avoid duplicating code, keep logic simple.
- Find command injection vulnerabilities
- The
r_core_cmd apis parse special characters, which if the user or the binary loaded have control
- Better use
r_core_call functions
- Prefer the use of
call_at if a temporal seek is needed
- Autogenerated scripts
- The
* command suffix, will force the output to contain a script for radare2.
- Read the
r_cons_printf calls used in those subcommands to find out any
It's recommended, to run r2 oneliners to confirm the vulnerabilities are real before fixing them.
The single quote commands syntax permits temporal seeks too, for example this command is the safe equivocalent of x@0x123. Also, an important hint for single quote commands
'@0x123'x
The double quote commands are also vulnerable to command injection if data is not filtered properly for example:
"echo hello";"echo "world"
In the code above, if hello was controlled by the user they can include a quote to close the command and inject a semicolon to run a separate command.
Command syntax:
When running a command that starts with "'", the command parser will ignore all the special characters and just run the command with given arguments.
- if the command is a system shell escape
! there can be still code injection bugs, see the sanitize for sh in this case
Shell injection bugs
- See
r_str_sanitize_sh and the r_sys_cmd apis
- Ensure all this follows the right strict rules from the
r_sandbox settings
Sanitization APIs:
See r_name_filter, and all the r_str_sanitize apis to understand their purpose and use them wisely, do not reduce the.
Some commands accept base64: arguments. Use them if we really need raw data accepting any characters.