CVE-2020-15121 – CVE-2020-15121 is a shell injection vulnerabili... (How to Fix)

Q: What is the severity of CVE-2020-15121?

CVE-2020-15121 has a CVSS score of 7.4 (HIGH). CVE-2020-15121 is a shell injection vulnerability in radare2 reverse engineering framework where malformed PDB file names in the PDB server path allow arbitrary command execution. This affects users who open executable files in radare2 and run the 'idpd' command to trigger PDB symbol downloads. Attackers can exploit this to execute shell commands on the victim's system.

📋 TL;DR

CVE-2020-15121 is a shell injection vulnerability in radare2 reverse engineering framework where malformed PDB file names in the PDB server path allow arbitrary command execution. This affects users who open executable files in radare2 and run the 'idpd' command to trigger PDB symbol downloads. Attackers can exploit this to execute shell commands on the victim's system.

💻 Affected Systems

Products:

radare2

Versions: All versions before 4.5.0

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when opening an executable in radare2 and running the 'idpd' command to download PDB symbols.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through arbitrary command execution leading to data theft, persistence establishment, or lateral movement within the network.

🟠

Likely Case

Local file creation/destruction, data exfiltration, or installation of malware on the affected system.

🟢

If Mitigated

Limited impact if system runs with minimal privileges and network restrictions prevent external connections.

🌐 Internet-Facing: LOW - Exploitation requires user interaction with radare2 and typically affects local systems rather than internet-facing services.

🏢 Internal Only: MEDIUM - Reverse engineering tools are often used in security research and development environments where exploitation could lead to internal network compromise.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (opening file and running command) but the shell injection is straightforward once triggered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.0 and later

Vendor Advisory: https://github.com/radareorg/radare2/security/advisories/GHSA-r552-vp94-9358

Restart Required: No

Instructions:

1. Update radare2 to version 4.5.0 or later using your package manager. 2. For source installations: git clone https://github.com/radareorg/radare2 && cd radare2 && sys/install.sh

🔧 Temporary Workarounds

Disable PDB downloads

all

Prevent radare2 from downloading PDB symbols by avoiding the 'idpd' command

# Do not run 'idpd' command in radare2

Network restriction

linux

Block radare2 network access to prevent PDB server connections

sudo iptables -A OUTPUT -p tcp --dport 80 -m owner --uid-owner $(id -u) -j DROP
sudo iptables -A OUTPUT -p tcp --dport 443 -m owner --uid-owner $(id -u) -j DROP

🧯 If You Can't Patch

Run radare2 in a sandboxed or isolated environment with minimal privileges
Monitor for creation of suspicious files like 'pwned' in working directories

🔍 How to Verify

Check if Vulnerable:

Check radare2 version: r2 -v | grep version. If version is below 4.5.0, system is vulnerable.

Check Version:

r2 -v | grep version

Verify Fix Applied:

After updating, verify version is 4.5.0 or higher: r2 -v | grep 'version 4\.5\.'

📡 Detection & Monitoring

Log Indicators:

Unusual file creation (especially 'pwned' file)
Radare2 process spawning unexpected child processes
Network connections to PDB servers from radare2

Network Indicators:

HTTP requests to PDB servers with malformed file names containing shell metacharacters

SIEM Query:

process_name:radare2 AND (process_command_line:*idpd* OR file_create_name:pwned)

📊 Metadata

CVE ID: CVE-2020-15121

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

CWE: CWE-78

Published: July 20, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/radareorg/radare2/commit/04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9 Patch,Third Party Advisory
https://github.com/radareorg/radare2/issues/16945 Third Party Advisory
https://github.com/radareorg/radare2/pull/16966 Third Party Advisory
https://github.com/radareorg/radare2/security/advisories/GHSA-r552-vp94-9358 Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWC7KNBETYE5MK6VIUU26LUIISIFGSBZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YE77P5RSE2T7JHEKMWF2ARTSJGMPXCFY/
https://github.com/radareorg/radare2/commit/04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9 Patch,Third Party Advisory
https://github.com/radareorg/radare2/issues/16945 Third Party Advisory
https://github.com/radareorg/radare2/pull/16966 Third Party Advisory
https://github.com/radareorg/radare2/security/advisories/GHSA-r552-vp94-9358 Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWC7KNBETYE5MK6VIUU26LUIISIFGSBZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YE77P5RSE2T7JHEKMWF2ARTSJGMPXCFY/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15121, you might also want to check these: