Ghidra: Project handling is susceptible to XXE

Created on 6 Mar 2019  路  8Comments  路  Source: NationalSecurityAgency/ghidra

Describe the bug
Project open/restore is susceptible to XML External Entity Expansion attacks. This can be exploited in various ways by getting someone to open/restore a project prepared by attacker.

To Reproduce
Steps to reproduce the behavior:

  1. Create a project, and close it.
  2. Put an XXE payload in any of the XML files in the project directory (see screenshot for example).
  3. Open the project.
  4. Observe your payload doing its thing.

The same concept works with archived projects (.gar files) too.

Expected behavior
The XML parser should ignore external entities. For bonus points, it should give an error/warning when they are present.

Screenshots
The following screenshot was made of a proof of concept that only issues an HTTP GET request to localhost.

Ghidra XXE PoC

Environment (please complete the following information):

  • OS: Kali Linux Rolling
  • JDK Version: OpenJDK 11.0.2 (11.0.2+9-Debian-3)
  • Ghidra Version 9.0
Bug
Source
picture sghctoma
👍23

Most helpful comment

@nsadeveloper789 Can you link to the fixing commit please?

picture attritionorg on 19 Mar 2019
👍4

All 8 comments

Good find! Thanks. Looks like a pretty straightforward configuration fix.

nsadeveloper789 picture nsadeveloper789 on 8 Mar 2019

You're welcome.

Out of curiosity: are you sure there is a config fix for this? I.e. can external entity processing be disabled globally for JDOM/SAXBuilder? I was under the impression you have to turn it off for every SAXBuilder instance individually. If there is no global way, please make sure to fix this everywhere, because this issue is not restricted to projects; e.g. Tool import is also affected.

sghctoma picture sghctoma on 8 Mar 2019

Yeah. We're on the same page. When I said "configure" I didn't mean to imply there's some system property or whatever you set. I made factory methods to create properly configured SAXParsers and SAXBuilders, and refactored everything to use them.

nsadeveloper789 picture nsadeveloper789 on 14 Mar 2019
👍4

@nsadeveloper789 Can you link to the fixing commit please?

attritionorg picture attritionorg on 19 Mar 2019
👍4

@attritionorg you could see it here: https://github.com/kant2002/Ghidra/pull/9/commits/19302d466a58974b88bc07a7ab4ff745c4e5520f
I go as far as I can in attempt to properly capture the appropriate changes.

kant2002 picture kant2002 on 27 Mar 2019

Unfortunately, no. Since our source repo is not yet published, there is no commit to link to. Additionally, the commit history up to the source release will not likely be present.
It looks like folks are tracking the 9.0 to 9.0.1 changes by unpacking the source .jars, though, and that should capture the relevant patches, albeit squashed with others.

nsadeveloper789 picture nsadeveloper789 on 27 Mar 2019

@nsadeveloper789 thanks. @kant2002 linked to his fix which gives the additional info I am after. appreciate it!

attritionorg picture attritionorg on 27 Mar 2019

Thx alot.

vernieri picture vernieri on 2 Apr 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ghost picture ghost  路  29Comments
lab313ru picture lab313ru  路  16Comments
dw picture dw  路  20Comments
dalvarezperez picture dalvarezperez  路  19Comments
0x6d696368 picture 0x6d696368  路  17Comments