be careful! nsa reverse engineering tool has a remote code execution vulnerability

Posted by santillano at 2020-04-12

According to foreign media reports, researchers said that ghidra, the general disassembly and decompilation program released by NSA in early March, has a remote code execution vulnerability, and that ghidra will have xxE when loading projects.

A report from GitHub shows that anyone who can cheat users to open or recover design projects can use this vulnerability to affect the opening / recovery of projects.

The replication vulnerability involves creating a new project and then placing the xxE payload in an XML file in the project directory. Once the project is opened, the payload is executed. Researchers using the sghctoma handle found that the vulnerability also exists in the Archive Project (. Gar files).

According to the researchers, based on the previous research on the exploitation of xxE vulnerability, it is found that attackers can take advantage of the Java features and weaknesses of NTLM protocol in Windows operating system to realize remote code execution.

When the victim uses ghidra to open the malicious project, the attacker can obtain NTLM hash from the victim's machine and execute arbitrary commands on the victim's machine.

To prevent this, you should configure windows firewall to block incoming SMB requests. If you need an SMB server, enable smbsign and upgrade the JDK to the latest version.

The xxE vulnerability will be resolved in the next version of ghidra (9.0.1). However, the latest version has not yet been released.