You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
XXE vulnerability in YAJSW’s JnlpSupport affects Ghidra Server.
An insecure way to parse XML input was found in JnlpSupport class from Yet Another Java Service Wrapper used by Ghidra (up to latest version).
To Reproduce
Steps to reproduce the behavior:
Create an XXE payload file and set the extension of the file to ".jnlp"
Go to <path_to_ghidra>/server/ghidraSvr
Modify "WRAPPER_CONF" value to point to the ".jnlp" file
Run ghidraSvr using "$ sudo ./ghidraSvr start"
XXE exploit in the ".jnlp" file gets executed
Expected behavior
Extended XML Entities should be disabled.
Environment:
OS: Kali Linux, Debian 4.19.37-2kali1 (2019-05-15)
Java Version: 11.0
Ghidra Version: 9.0.4
Additional context
I understand the vulnerable code is actually part of a separate library, however I considered this of interest and I suggest adding a filter so no ".jnlp" configuration files are allowed as values for "WRAPPER_CONF", at least until YAJSW patches this problem.
I am rather confused by the write-up. Could you please explain how this is exploitable without modification to files contained within the Ghidra installation. If modification to files contained within the installation is considered possible, then any jar could be replaced and do just about anything.
If an attacker has write-access to the Ghidra installation directory, we do not consider malicious behavior that results from manipulation of those Ghidra files a vulnerability.
Describe the bug
XXE vulnerability in YAJSW’s JnlpSupport affects Ghidra Server.
An insecure way to parse XML input was found in JnlpSupport class from Yet Another Java Service Wrapper used by Ghidra (up to latest version).
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Extended XML Entities should be disabled.
Environment:
Additional context
I understand the vulnerable code is actually part of a separate library, however I considered this of interest and I suggest adding a filter so no ".jnlp" configuration files are allowed as values for "WRAPPER_CONF", at least until YAJSW patches this problem.
More PoC (Available after the fix is confirmed): https://github.com/purpleracc00n/Exploits-and-PoC/blob/master/XXE%20in%20YAJSW%E2%80%99s%20JnlpSupport%20affects%20Ghidra%20Server.md
The text was updated successfully, but these errors were encountered: