New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Uncontrolled Search Path Element when executing CMD. #107
Comments
I could not reproduce this. The first line of output in your Process Monitor is referencing bin\jython.exe. That is not part of the Ghidra release. Did you add that there? Where you doing anything with Eclipse projects in that jython directory? |
Thanks for the additional info. Does it execute your cmd.exe binary every time you reset the python interpreter (ctrl+d or exit() from the interpreter)? |
Yes, It happens in both cases: CTRL+D and exit() |
Ok, I'll have to look into why Jython is doing this...it's definitely not necessary for our built-in python interpreter to function. Thanks for finding/reporting this and all of the detailed information! |
Would you mind sharing the command line arguments that get passed to cmd.exe? Looking at the jython source, it seems to be launching cmd.exe /c ver to get the Windows version (and uname for linux/mac). I want to confirm that is what is happening for you. |
Yes, it is launching cmd.exe /c ver |
This security breach was silently fixed. It is not in release notes: https://ghidra-sre.org/releaseNotes.html#9_0_1 |
Unfortunately this issue was not able to be fixed for 9.0.1. Are you sure you are testing it in exactly the same manner as when you reported it? |
You are right. It is not fixed yet. |
cmd.exe is also launched every time you call getwindowsversion() from the interpreter. |
It is possible to set the JAVA working directory avoiding most of these situations instead of fixing one by one. I suggest to add the following code into "support\launch.bat" : |
I would say this is an issue in Jython. More specifically this line: https://github.com/jythontools/jython/blob/master/src/org/python/core/PySystemState.java#L1786 I would open an issue there and have it fixed upstream. However, Ghidra has the same issue when opening manuals, see: ghidra/Ghidra/Features/Base/src/main/java/ghidra/util/ManualViewerCommandWrappedOption.java Line 121 in 49c2010
I would use Linux should be OK as there binaries that are not in the |
@ryanmkurtz was this issue ever addressed ? |
No, it is not fixed. It's more of an issue with Jython...it should be fixed in that library. As far as I know, Jython is unaware of the issue. |
@jeff5 Could you take a look/have someone take a look at this ?
|
Happy to take a look You just missed v2.7.2, sorry. I raised https://bugs.jython.org/issue2882 . Almost certainly, the right answer is to use The standard library subprocess.py in CPython falls back to |
Thank you Jeff ! |
Was this resolved? I don't see any responses to the Jython ticket. |
No. I am hoping it gets put into Jython 2.7.3. Ghidra will upgrade its jar when 2.7.3 is released. |
I opened a PR on Jython repo, which will hopefully fix this bug. |
@jeff5 Do you have an idea of when 2.7.3-final will be coming out? I'm hoping to include it in the upcoming Ghidra 10.2 release. |
I published the rc1 today (just waiting for Sonatype to index it properly to announce). So 2 weeks, all being well. I could squeeze that a little if you're committed to a date. |
@jeff5 2 weeks sounds good, thanks! |
Describe the bug
When executing Ghidra from a given path the Java process working directory is set to this path. Then, when launching Python interpreter located in "Ghidra Codebrowser" -> "Window" -> "Python"
Ghidra will try to execute an arbitrary file "cmd.exe" located at the attacker choosen working directory.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Ghidra would resolve the right "cmd.exe" located into the Windows system directory.
Screenshots
Environment (please complete the following information):
The text was updated successfully, but these errors were encountered: