Reading time ~1min
Ghidra is a software reverse engineering (SRE) suite of tools developed by NSA’s Research Directorate. The latest version of Ghidra (v9.0.1.) addresses security issues and bugs as well as introduces some improvements to enhance the overall user experience. One of the most notable fixes is an XXE vulnerability that could allow an attacker to trick a user into opening or restoring a specially crafted project.
A new feature was also added on version 9.0.1 – a script that shows all equates within the current selection.
After its first release in March, experts found an XML external entity (XXE) vulnerability that could be exploited by attackers that are able to trick a user into opening or restoring a specially crafted project.
“Project open/restore is susceptible to XML External Entity Expansion attacks. This can be exploited in various ways by getting someone to open/restore a project prepared by the attacker.” Details of the issue along with screenshots can be found on GitHub.
“Steps to reproduce the behavior:
- Create a project, and close it.
- Put an XXE payload in any of the XML files in the project directory (see screenshot for example).
- Open the project.
- Observe your payload doing its thing.
The XML parser should ignore external entities. For bonus points, it should give an error/warning when they are present.”
Experts from Tencent Security also published an analysis that reveals how it is possible to exploit the XXE flaw to execute code on the victim’s machine remotely.
“Based on our prior research on XXE vulnerability exploitation, we found that attackers can abuse Java features and weaknesses in NTLM protocol in the Windows operating system to achieve remote code execution,” reads the analysis.
The experts demonstrated that an attacker could exploit the issue by setting up an HTTP Server with NTLM authentication, then use an XXE/SSRF vulnerability to force NTLM authentication from the victim.
Ghidra version 9.0.1 has addressed the notorious XXE vulnerability and the below security issues:
- Basic Infrastructure Improvements. Running Ghidra in debug mode no longer opens remotely accessible ports by default.
- GUI Improvements. The Defined Strings plugin no longer renders HTML in its table.