Multiple vulnerabilities in NSA Ghidra



Published: 2019-09-30 | Updated: 2023-01-06
Risk Medium
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2019-13623
CVE-2019-16941
CVE-2019-17664
CWE-ID CWE-22
CWE-776
CWE-426
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe
Ghidra
Universal components / Libraries / Software for developers

Vendor National Security Agency

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

Updated: 27.10.2019

Added vulnerability #3.

1) Path traversal

EUVDB-ID: #VU21435

Risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-13623

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the RestoreTask.java plugin (package from ghidra.app.plugin.core.archive). A remote attacker can create a specially crafted file with archived results, trick the victim into loading it and overwrite arbitrary files on the system with privileges on the current user.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Ghidra: 9.0.0 - 9.0.4

External links

http://blog.fxiao.me/ghidra/
http://packetstormsecurity.com/files/154015/Ghidra-Linux-9.0.4-Arbitrary-Code-Execution.html
http://github.com/NationalSecurityAgency/ghidra/issues/789


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) XML Entity Expansion

EUVDB-ID: #VU21434

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16941

CWE-ID: CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to improper input validation when parsing XML files in the Bit Patterns Explorer feature in Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java. A remote attacker can create a specially crafted XML document, trick the victim into opening it via the Read XML Files feature and execute arbitrary code on the system with privilege of the current user.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Ghidra: 9.0.0 - 9.0.4

External links

http://github.com/NationalSecurityAgency/ghidra/blob/79d8f164f8bb8b15cfb60c5d4faeb8e1c25d15ca/Ghidra/Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java#L187-L188
http://github.com/NationalSecurityAgency/ghidra/issues/1090


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Untrusted search path

EUVDB-ID: #VU22307

Risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-17664

CWE-ID: CWE-426 - Untrusted Search Path

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to Java process uses the current working directory for launching the Python interpreter via the "Ghidra Codebrowser > Window > Python" option. A local user who can place malicious files on the system and trick the victim to run Ghidrafrom the specific directory can execute the cmd.exe program from this working directory with privileges of the current user.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Ghidra: 9.0.0 - 10.1.5

External links

http://github.com/NationalSecurityAgency/ghidra/issues/107
http://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-pr2h-5qhx-9544


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###