SB2019093006 - Multiple vulnerabilities in NSA Ghidra
Published: September 30, 2019 Updated: January 6, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2019-13623)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in the RestoreTask.java plugin (package from ghidra.app.plugin.core.archive). A remote attacker can create a specially crafted file with archived results, trick the victim into loading it and overwrite arbitrary files on the system with privileges on the current user.
2) XML Entity Expansion (CVE-ID: CVE-2019-16941)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to improper input validation when parsing XML files in the Bit Patterns Explorer feature in Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java. A remote attacker can create a specially crafted XML document, trick the victim into opening it via the Read XML Files feature and execute arbitrary code on the system with privilege of the current user.
3) Untrusted search path (CVE-ID: CVE-2019-17664)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to Java process uses the current working directory for launching the Python interpreter via the "Ghidra Codebrowser > Window > Python" option. A local user who can place malicious files on the system and trick the victim to run Ghidrafrom the specific directory can execute the cmd.exe program from this working directory with privileges of the current user.
Remediation
Install update from vendor's website.
References
- http://blog.fxiao.me/ghidra/
- http://packetstormsecurity.com/files/154015/Ghidra-Linux-9.0.4-Arbitrary-Code-Execution.html
- https://github.com/NationalSecurityAgency/ghidra/issues/789
- https://github.com/NationalSecurityAgency/ghidra/blob/79d8f164f8bb8b15cfb60c5d4faeb8e1c25d15ca/Ghidra/Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java#L187-L188
- https://github.com/NationalSecurityAgency/ghidra/issues/1090
- https://github.com/NationalSecurityAgency/ghidra/issues/107
- https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-pr2h-5qhx-9544