Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Project handling is susceptible to XXE #71

Closed
sghctoma opened this issue Mar 6, 2019 · 8 comments

Comments

@sghctoma
Copy link

commented Mar 6, 2019

Describe the bug
Project open/restore is susceptible to XML External Entity Expansion attacks. This can be exploited in various ways by getting someone to open/restore a project prepared by attacker.

To Reproduce
Steps to reproduce the behavior:

  1. Create a project, and close it.
  2. Put an XXE payload in any of the XML files in the project directory (see screenshot for example).
  3. Open the project.
  4. Observe your payload doing its thing.

The same concept works with archived projects (.gar files) too.

Expected behavior
The XML parser should ignore external entities. For bonus points, it should give an error/warning when they are present.

Screenshots
The following screenshot was made of a proof of concept that only issues an HTTP GET request to localhost.

Ghidra XXE PoC

Environment (please complete the following information):

  • OS: Kali Linux Rolling
  • JDK Version: OpenJDK 11.0.2 (11.0.2+9-Debian-3)
  • Ghidra Version 9.0

@sghctoma sghctoma added the bug label Mar 6, 2019

@nsadeveloper789 nsadeveloper789 self-assigned this Mar 8, 2019

@nsadeveloper789

This comment has been minimized.

Copy link
Contributor

commented Mar 8, 2019

Good find! Thanks. Looks like a pretty straightforward configuration fix.

@sghctoma

This comment has been minimized.

Copy link
Author

commented Mar 8, 2019

You're welcome.

Out of curiosity: are you sure there is a config fix for this? I.e. can external entity processing be disabled globally for JDOM/SAXBuilder? I was under the impression you have to turn it off for every SAXBuilder instance individually. If there is no global way, please make sure to fix this everywhere, because this issue is not restricted to projects; e.g. Tool import is also affected.

@nsadeveloper789 nsadeveloper789 added this to the 9.0.1 milestone Mar 14, 2019

@nsadeveloper789

This comment has been minimized.

Copy link
Contributor

commented Mar 14, 2019

Yeah. We're on the same page. When I said "configure" I didn't mean to imply there's some system property or whatever you set. I made factory methods to create properly configured SAXParsers and SAXBuilders, and refactored everything to use them.

@attritionorg

This comment has been minimized.

Copy link

commented Mar 19, 2019

@nsadeveloper789 Can you link to the fixing commit please?

kant2002 added a commit to kant2002/Ghidra that referenced this issue Mar 27, 2019

Fixed an XXE vulnerability affeting projects and many other saved com…
…ponents

See NationalSecurityAgency/ghidra#71

Signed-off-by: Andrii Kurdiumov <kant2002@gmail.com>
@kant2002

This comment has been minimized.

Copy link
Contributor

commented Mar 27, 2019

@attritionorg you could see it here: kant2002/Ghidra@19302d4
I go as far as I can in attempt to properly capture the appropriate changes.

@nsadeveloper789

This comment has been minimized.

Copy link
Contributor

commented Mar 27, 2019

Unfortunately, no. Since our source repo is not yet published, there is no commit to link to. Additionally, the commit history up to the source release will not likely be present.
It looks like folks are tracking the 9.0 to 9.0.1 changes by unpacking the source .jars, though, and that should capture the relevant patches, albeit squashed with others.

@attritionorg

This comment has been minimized.

Copy link

commented Mar 27, 2019

@nsadeveloper789 thanks. @kant2002 linked to his fix which gives the additional info I am after. appreciate it!

@vernieri

This comment has been minimized.

Copy link

commented Apr 2, 2019

Thx alot.

kant2002 added a commit to kant2002/Ghidra that referenced this issue Apr 3, 2019

Project handling is susceptible to XXE. Part #2
See NationalSecurityAgency/ghidra#71

Signed-off-by: Andrii Kurdiumov <kant2002@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.