Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arbitrary code execution through loading a malicious project #789

Closed
xiaofen9 opened this issue Jul 14, 2019 · 5 comments

Comments

@xiaofen9
Copy link

commented Jul 14, 2019

Describe the bug
A path traversal vulnerability exists in RestoreTask.java from package ghidra.app.plugin.core.archive. This vulnerability allows attackers to overwrite arbitrary files in the system. To achieve arbitrary code execution, one of the solutions is to overwrite some critical ghidra modules, e.g., decompile module (In this case we need to know the installation path of ghidra).

To Reproduce

  1. Load the malicious project.
  2. malicious code will be executed when the decompile module is called.

Expected behavior
Here is a demo of the attack behavior.
https://youtu.be/RGqQMUd9hZM

Environment (please complete the following information):

  • OS: All systems
  • Ghidra Version: until v9.0.4

Remark
The vulnerability was found by researchers from GTISC@Georgia Tech.

@xiaofen9 xiaofen9 added the bug label Jul 14, 2019

@erhan-

This comment has been minimized.

Copy link

commented Jul 14, 2019

Congratulations. That's a nice discovery!

@dev747368 dev747368 self-assigned this Jul 15, 2019

@ryanmkurtz

This comment has been minimized.

Copy link
Collaborator

commented Jul 15, 2019

Thanks for finding this...we are investigating it.

@xiaofen9

This comment has been minimized.

Copy link
Author

commented Jul 15, 2019

Thanks for finding this...we are investigating it.

Thanks for bringing us this awesome dissembler.
Technical details about the vul can be found here. http://blog.fxiao.me/ghidra/.

dev747368 added a commit to dev747368/ghidra that referenced this issue Jul 19, 2019

GT-3001 (NationalSecurityAgency#789) fix RestoreTask to safely extrac…
…t files from zip.

Abstracted guts of GFileSystemExtractAllTask, reused in RestoreTask.
Fixed NPE in RestoreTask if restore was canceled.

dev747368 added a commit to dev747368/ghidra that referenced this issue Jul 22, 2019

@ryanmkurtz ryanmkurtz added this to the 9.1 milestone Jul 23, 2019

@dev747368

This comment has been minimized.

Copy link
Collaborator

commented Jul 23, 2019

@xiaofen9 - please reopen this issue if this didn't address the problem

@xiaofen9

This comment has been minimized.

Copy link
Author

commented Jul 24, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.