Researcher Says NSA’s Ghidra Tool Can Be Used for RCE

Ghidra NSA tool

Researchers have released a proof-of-concept showing how a XXE vulnerability can be exploited to attack Ghidra project users.

Ghidra, a free, open-source software reverse-engineering tool that was released by the National Security Agency at RSA, has been found to be a potential conduit to remote code-execution.

Ghidra is a disassembler written in Java; software that breaks down executable files into assembly code that can then be analyzed. By deconstructing malicious code and malware, cybersecurity professionals can gain a better understanding of potential vulnerabilities in their networks and systems. The NSA has used it internally for years, and recently decided to open-source it.

The Ghidra project loading process in version 9.0 and below contains an XML external entity (XXE) vulnerability; the issue was uncovered less than 24 hours after Ghidra was released, by a researcher with the handle @sghctoma.

According to OWASP, XXE bugs can be used to attack applications that parses XML input.

“This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser,” according to the group. “This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.”

In Ghidra’s case, “project open/restore is susceptible to XML External Entity Expansion attacks,” said @sghctoma in a Github report. “This can be exploited in various ways by getting someone to open/restore a project prepared by attacker.”

The researcher explained that an attacker could create a project and simply put an XXE payload in any of the XML files in the project directory in order to attack a user; @sghctoma added that unfortunately, the same attack works with archived projects (.gar files).

This week, Tencent Security researchers said that they found that attackers can chain together an exploit for the vulnerability, the abuse of Java features and the exploitation of known weaknesses in the NTLM protocol in Windows to perform an SMB relay attack, thus stealing a user’s hash. Armed with that, an adversary could ultimately carry out remote code-execution on the computer of someone who is using the Ghidra tool, according to Tencent.

“When sending HTTP requests using Java built-in class sun.net.www.protocol.http.HttpURLConnection, it will automatically determine authentication method when [it] encounters a 401 status code,” they said in a short breakdown posted on Monday. “If [the] authentication method is NTLM, it will automatically authenticate using current user credentials. The root cause is, Java on Windows enables transparent NTLM authentication by default, and treats all URL as trusted.”

In Tencent’s proof-of-concept attack, to attack a Ghidra user, an adversary would first execute a script on their own machine that would serve HTTP requests on port 80. Then, they would create a new Ghidra project, editing the project file “project.prp” to insert an XXE exploit.

While the team didn’t release many details, they said that “when [a] victim uses Ghidra to open this malicious project, the attacker can then obtain the NTLM Hash from the victim’s machine, and therefore execute arbitrary command on victim’s machine.”

For mitigation, users can set Windows Firewall to block incoming SMB requests; and if the SMB server is required, they can enable SMB Sign. Users should also upgrade to latest version of the Java Development Kit.

Also, an NSA developer swiftly responded to @sghctoma’s Github posting, saying that addressing the bug would be “a pretty straightforward configuration fix.”

“I made factory methods to create properly configured SAXParsers and SAXBuilders, and refactored everything to use them,” the developer said – before closing the issue.

Threatpost reached out to @sghctoma to verify that the bug has been addressed. The researcher told us that “The fix is part of the 9.0.1 release, which is not yet public. The vulnerability is in how the software parses XML (not just Projects, but Tools, etc.), not in the projects themselves. So when, or with what version the project was created does not matter.”

Don’t miss our free live Threatpost webinar, “Exploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub,” on Wed., Mar 20, at 2:00 p.m. ET.

Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub’s application security engineering manager, will join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today’s software, and what kind of impact they would have on organizations if exploited.

Suggested articles