Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Project handling is susceptible to XXE #71

Closed
sghctoma opened this issue Mar 6, 2019 · 8 comments
Closed

Project handling is susceptible to XXE #71

sghctoma opened this issue Mar 6, 2019 · 8 comments
Assignees
@nsadeveloper789
Labels
Type: Bug Something isn't working
Milestone
9.0.1

Comments

@sghctoma
Copy link

sghctoma commented Mar 6, 2019

Describe the bug
Project open/restore is susceptible to XML External Entity Expansion attacks. This can be exploited in various ways by getting someone to open/restore a project prepared by attacker.

To Reproduce
Steps to reproduce the behavior:

  1. Create a project, and close it.
  2. Put an XXE payload in any of the XML files in the project directory (see screenshot for example).
  3. Open the project.
  4. Observe your payload doing its thing.

The same concept works with archived projects (.gar files) too.

Expected behavior
The XML parser should ignore external entities. For bonus points, it should give an error/warning when they are present.

Screenshots
The following screenshot was made of a proof of concept that only issues an HTTP GET request to localhost.

Ghidra XXE PoC

Environment (please complete the following information):

  • OS: Kali Linux Rolling
  • JDK Version: OpenJDK 11.0.2 (11.0.2+9-Debian-3)
  • Ghidra Version 9.0
@sghctoma sghctoma added the Type: Bug Something isn't working label Mar 6, 2019
@nsadeveloper789 nsadeveloper789 self-assigned this Mar 8, 2019
@nsadeveloper789
Copy link
Contributor

Good find! Thanks. Looks like a pretty straightforward configuration fix.

@sghctoma
Copy link
Author

sghctoma commented Mar 8, 2019

You're welcome.

Out of curiosity: are you sure there is a config fix for this? I.e. can external entity processing be disabled globally for JDOM/SAXBuilder? I was under the impression you have to turn it off for every SAXBuilder instance individually. If there is no global way, please make sure to fix this everywhere, because this issue is not restricted to projects; e.g. Tool import is also affected.

@nsadeveloper789 nsadeveloper789 added this to the 9.0.1 milestone Mar 14, 2019
@nsadeveloper789
Copy link
Contributor

Yeah. We're on the same page. When I said "configure" I didn't mean to imply there's some system property or whatever you set. I made factory methods to create properly configured SAXParsers and SAXBuilders, and refactored everything to use them.

@attritionorg
Copy link

@nsadeveloper789 Can you link to the fixing commit please?

@hsoong hsoong mentioned this issue Mar 21, 2019
Closed
kant2002 added a commit to kant2002/Ghidra that referenced this issue Mar 27, 2019
@kant2002
Fixed an XXE vulnerability affeting projects and many other saved com…
19302d4 
…ponents

See NationalSecurityAgency/ghidra#71

Signed-off-by: Andrii Kurdiumov <kant2002@gmail.com>
@kant2002
Copy link
Contributor

@attritionorg you could see it here: kant2002/Ghidra@19302d4
I go as far as I can in attempt to properly capture the appropriate changes.

@nsadeveloper789
Copy link
Contributor

Unfortunately, no. Since our source repo is not yet published, there is no commit to link to. Additionally, the commit history up to the source release will not likely be present.
It looks like folks are tracking the 9.0 to 9.0.1 changes by unpacking the source .jars, though, and that should capture the relevant patches, albeit squashed with others.

@attritionorg
Copy link

@nsadeveloper789 thanks. @kant2002 linked to his fix which gives the additional info I am after. appreciate it!

@vernieri
Copy link

vernieri commented Apr 2, 2019

Thx alot.

kant2002 added a commit to kant2002/Ghidra that referenced this issue Apr 3, 2019
@kant2002
Project handling is susceptible to XXE. Part #2
0a459d3 
See NationalSecurityAgency/ghidra#71

Signed-off-by: Andrii Kurdiumov <kant2002@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nsadeveloper789 nsadeveloper789

Labels
Type: Bug Something isn't working
Projects
None yet
Milestone
9.0.1
Development

No branches or pull requests
5 participants
@sghctoma @attritionorg @kant2002 @vernieri @nsadeveloper789