Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XXE Vulnerability in JnlpSupport of YAJSW affects Ghidra Server #943

Open
purpleracc00n opened this issue Aug 27, 2019 · 0 comments
Open

XXE Vulnerability in JnlpSupport of YAJSW affects Ghidra Server #943

purpleracc00n opened this issue Aug 27, 2019 · 0 comments

Comments

@purpleracc00n
Copy link

@purpleracc00n purpleracc00n commented Aug 27, 2019

Describe the bug
XXE vulnerability in YAJSW’s JnlpSupport affects Ghidra Server.

An insecure way to parse XML input was found in JnlpSupport class from Yet Another Java Service Wrapper used by Ghidra (up to latest version).

To Reproduce
Steps to reproduce the behavior:

  1. Create an XXE payload file and set the extension of the file to ".jnlp"
  2. Go to <path_to_ghidra>/server/ghidraSvr
  3. Modify "WRAPPER_CONF" value to point to the ".jnlp" file
  4. Run ghidraSvr using "$ sudo ./ghidraSvr start"
  5. XXE exploit in the ".jnlp" file gets executed

Expected behavior
Extended XML Entities should be disabled.

Environment:

  • OS: Kali Linux, Debian 4.19.37-2kali1 (2019-05-15)
  • Java Version: 11.0
  • Ghidra Version: 9.0.4

Additional context
I understand the vulnerable code is actually part of a separate library, however I considered this of interest and I suggest adding a filter so no ".jnlp" configuration files are allowed as values for "WRAPPER_CONF", at least until YAJSW patches this problem.

More PoC (Available after the fix is confirmed): https://github.com/purpleracc00n/Exploits-and-PoC/blob/master/XXE%20in%20YAJSW%E2%80%99s%20JnlpSupport%20affects%20Ghidra%20Server.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.