Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Arbitrary code execution through loading a malicious project #789

Closed
xiaofen9 opened this issue Jul 14, 2019 · 5 comments · Fixed by #812
Closed

Arbitrary code execution through loading a malicious project #789

xiaofen9 opened this issue Jul 14, 2019 · 5 comments · Fixed by #812
Assignees
@dev747368
Labels
Type: Bug Something isn't working
Milestone
9.1

Comments

@xiaofen9
Copy link

xiaofen9 commented Jul 14, 2019
edited

Describe the bug
A path traversal vulnerability exists in RestoreTask.java from package ghidra.app.plugin.core.archive. This vulnerability allows attackers to overwrite arbitrary files in the system. To achieve arbitrary code execution, one of the solutions is to overwrite some critical ghidra modules, e.g., decompile module (In this case we need to know the installation path of ghidra).

To Reproduce

  1. Load the malicious project.
  2. malicious code will be executed when the decompile module is called.

Expected behavior
Here is a demo of the attack behavior.
https://youtu.be/RGqQMUd9hZM

Environment (please complete the following information):

  • OS: All systems
  • Ghidra Version: until v9.0.4

Remark
The vulnerability was found by researchers from GTISC@Georgia Tech.
@xiaofen9 xiaofen9 added the Type: Bug Something isn't working label Jul 14, 2019
@erhan-
Copy link

erhan- commented Jul 14, 2019

Congratulations. That's a nice discovery!

@dev747368 dev747368 self-assigned this Jul 15, 2019
@ryanmkurtz
Copy link
Collaborator

Thanks for finding this...we are investigating it.

@xiaofen9
Copy link
Author

Thanks for finding this...we are investigating it.

Thanks for bringing us this awesome dissembler.
Technical details about the vul can be found here. http://blog.fxiao.me/ghidra/.

dev747368 added a commit to dev747368/ghidra that referenced this issue Jul 19, 2019
@dev747368
GT-3001 (NationalSecurityAgency#789) fix RestoreTask to safely extrac…
6c0171c 
…t files from zip.

Abstracted guts of GFileSystemExtractAllTask, reused in RestoreTask.
Fixed NPE in RestoreTask if restore was canceled.
@dev747368 dev747368 mentioned this issue Jul 22, 2019
Merged
dev747368 added a commit to dev747368/ghidra that referenced this issue Jul 22, 2019
@dev747368
GT-3001 (NationalSecurityAgency#789) code review - add missing file e…
c15364e 
…xclude.
@ryanmkurtz ryanmkurtz added this to the 9.1 milestone Jul 23, 2019
@dev747368
Copy link
Collaborator

@xiaofen9 - please reopen this issue if this didn't address the problem

@xiaofen9
Copy link
Author

xiaofen9 commented Jul 24, 2019 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dev747368 dev747368

Labels
Type: Bug Something isn't working
Projects
None yet
Milestone
9.1
Development

Successfully merging a pull request may close this issue.

GT-3001 (#789) fix RestoreTask to safely extract files from zip. dev747368/ghidra
4 participants
@erhan- @ryanmkurtz @xiaofen9 @dev747368