NSA’s Ghidra already found to be plagued by a security vulnerability

• The reverse engineering tool was released by NSA this month as open-source software.
• The vulnerability found in Ghidra could be exploited with a remote code execution attack.

Weeks after the much-hyped Ghidra was unveiled at the RSA Conference, the security tool is in limelight again in the midst of the first vulnerability revealed in it.

It appears that a security expert who goes by the name sghctoma discovered a serious flaw in the open-source, reverse engineering tool. The expert has also detailed steps on exploiting this loophole in a GitHub post.

What is the bug?

• According to sghctoma, projects created in Ghidra are susceptible to XML External Entity(XXE) Expansion attacks.
• Attackers could make a user open or ‘restore’ a malicious project created by them.
• The bug was found in Ghidra version 9.0 when running on computers with Kali Linux. Additionally, OpenJDK 11.0.2 was the development kit.
• The security expert mentions that warnings for ‘external entities were not working on XML Parser.

How to recreate the bug behavior?

Sghctoma explains how this bug could be created in Ghidra. The method is described below.

“Steps to reproduce the behavior:

1. Create a project, and close it.
2. Put an XXE payload in any of the XML files in the project directory (see screenshot for example).
3. Open the project.
4. Observe your payload doing its thing.

The same concept works with archived projects (.gar files) too.”

Meanwhile, another analysis by Tencent Security also revealed more details on the bug. “Based on our prior research on XXE vulnerability exploitation, we found that attackers can abuse Java features and weaknesses in NTLM protocol in the Windows operating system to achieve remote code execution,” the Tencent researchers wrote.

Bug addressed in next version

As per latest updates, this bug has been addressed in the latest version of Ghidra -- 9.0.1.