Data Security

Flaw in NSA’s GHIDRA leads to remote code execution attacks

GHIDRA is NSA’s reverse engineering tool released earlier this month.

Earlier this month, Hackread.com posted about the National Security Agency’s (NSA) publicly releasing its decompiler and disassembler tool GHIDRA and make it open-source software. Now, it has been revealed that the generic reverse engineering tool has a flaw that can be exploited by cybercriminals for carrying out remote code execution. The tool was showcased at the RSA conference earlier in March, 2019.

The flaw was identified by Tencent Security researchers and a researcher using the Twitter handle, @sghctoma identified the flaw. Researchers at Tencent have also released a PoC (proof-of-concept) to explain how an attacker can exploit XXE vulnerability and target GHIDRA users.

GHIDRA has been written in Java language and can potentially break down executable documents into assembly code so that developers and researchers could easily assess it and get a better understanding of prevailing flaws in networks/systems.

Researchers claim that the loading process in version 9.0 and below of GHIDRA open-source tool have XXE (XML external entity) vulnerability identified by @sghctoma within just 24 hours of its release. The XXE bugs can be exploited for attacking XML input parsing applications.

Researchers at Tencent Security revealed that the attack takes place when there is a reference to an external entity in the XML input being processed by an XML parser that’s not appropriately configured. An attacker can easily acquire confidential data, carry out denial of service attack and server-side request forgery, initiate port scanning on the targeted device to locate the parser and similar other functions on the system.

Moreover, the attacker can exploit flaws in the NTLM protocol in Windows to launch an SMB relay attack and obtain the user’s hash to carry out remote code execution on the machine. Researchers noted in their report that:

“When sending HTTP requests using Java built-in class sun.net.www.protocol.http.HttpURLConnection, it will automatically determine the authentication method when [it] encounters a 401 status code,” said researchers.

“If [the] authentication method is NTLM, it will automatically authenticate using current user credentials. The root cause is, Java on Windows enables transparent NTLM authentication by default, and treats all URL as trusted.”

Since project GHIDRA is susceptible to the XXE attacks, the software can be targeted and exploited easily in a variety of ways by luring the user to open or restore a project that’s been developed by the attacker, said @sghctoma. This project can also be created rather effortlessly by the attacker by putting an XXE payload in any of the XML files present in the project directory. The same method can be used on .gar files.

The PoC released by Tencent shows how an attacker can execute a script on his own device to serve HTTP requests on port 80 and create a brand new GHIDRA project by editing the project.prp file to insert XXE exploit. When this project is opened by a user, the attacker immediately receives the NTLM hash from the targeted device, which gives the attacker the authority to execute an arbitrary command.

The flaw has been patched in the version 9.0.1 but it is yet to be released. Meanwhile, researchers urge users to block incoming SMB requests by installing the Windows Firewall and enabling SMB Sign. Moreover, users need to upgrade their machines to the most recent Java Development Kit version to mitigate the threat.

Watch the PoC released by Tencent Security researchers:

To Top

Pin It on Pinterest

Share This