Earlier this month, NSA open-sourced Ghidra – its reverse engineering tool. Right after its release, researchers began discovering bugs in the tool. One such critical Ghidra vulnerability can even lead to remote code execution.
Critical RCE Ghidra Vulnerability
A researcher with the alias sghctoma on Twitter spotted a critical Ghidra vulnerability within 24 hours of its release. As disclosed in his tweet, he found the tool contains an XML external entity (XXE) vulnerability.
it's Java.. so of course it's susceptible to XXE.. kids, don't accept #Ghidra projects from strangers! pic.twitter.com/y54KCeDPlX
— bash the fash (@sghctoma) March 6, 2019
Describing the bug in his Github report, the researcher stated,
“Project open/restore is susceptible to XML External Entity Expansion attacks. This can be exploited in various ways by getting someone to open/restore a project prepared by attacker.”
Following his discovery, researchers at Tencent Security Lab also scratched the surface to find other details. They discovered weaknesses in the NTLM protocol in Windows OS. The XXE vulnerability, upon exploiting by a potential attacker along with abuse of Java features and NTLM vulnerabilities, can lead to remote code execution. They have shared their findings in their blog post.
Tencent researchers also shared proof-of-concept of the attack method. They explained that a potential attacker may create malicious Ghidra file with XXE exploit which then help them execute codes on the victim machine.
“When victim use Ghidra to open this malicious project, attacker can obtain NTLM Hash from the victim’s machine, therefore execute arbitrary command on victim’s machine.”
The following demonstrated the RCE attack on Ghidra from XXE flaw.
Patch Yet To Release
In response to the researcher sghctoma’s Github report, an NSA developer responded informing about the fix.
“I made factory methods to create properly configured SAXParsers and SAXBuilders, and refactored everything to use them.”
Besides, the researcher also confirmed that a fix will be available with the upcoming Ghidra 9.0.1 release.
“The fix is part of the 9.0.1 release, which is not yet public… The vulnerability is in how the software parses XML (not just Projects, but Tools, etc.), not in the projects themselves. So when, or with what version the project was created does not matter.”
Take your time to comment on this article.