lolloj - Fotolia
Ghidra update squashes serious bugs in NSA reverse-engineering tool
The NSA answered lingering questions around what kind of support it would provide for Ghidra after releasing the tool as open source with a patch that fixed serious bugs.
An update to the National Security Agency's reverse-engineering tool, Ghidra, patched serious vulnerabilities and helped prove the software will be supported.
The Ghidra update -- version 9.0.1 -- took care of a list of bugs, as well as three serious security vulnerabilities that had been found in the software. An anonymous researcher who goes by the name "sghctoma" on Twitter discovered the most severe Ghidra bug the same day the National Security Agency (NSA) released it as open source.
The researcher found that a malicious actor could perform an XML external entity attack by tricking a user into opening a poisoned Ghidra project. And researchers for Tencent later developed a proof of concept showing how that vulnerability could be leveraged into remote code execution.
Beyond that, the Ghidra update fixed an issue where debug mode would open remotely accessible ports by default and a vulnerability where a certain plugin would render HTML when it shouldn't. The latter of those issues, according to sghctoma, could have been used in a server-side request forgery attack or an NT LAN Manager relay attack.
Prior to the NSA releasing Ghidra, the infosec community saw the potential of a free tool that could compete with current, expensive reverse-engineering products, but there was hesitation. Some worried that the NSA would include backdoors or other methods to spy on users, and others thought the tool would be abandoned after being released.
Jake WilliamsFounder and CEO, Rendition Infosec
Jake Williams, founder and CEO of Rendition Infosec in Augusta, Ga., and former member of the NSA's Tailored Access Operations hacking group, called the Ghidra update "a real win for the NSA."
"One of the major questions around this release was how responsive NSA would be in fixing issues that were identified. Honestly, the speed of this release was much faster than I anticipated and will undoubtedly build goodwill for NSA," Williams said. "Overnight, more people tested Ghidra than likely ever have before. As a result, NSA has fixed a huge number of functionality bugs, some of which may have presented NSA analysts with bad information -- without them realizing it."
The sentiment was echoed on Twitter by a popular security researcher known as OSXreverser who specializes in macOS reverse-engineering.
Ghidra v9.0.1 released. Sounds like they are serious about supporting this. Now this is the real game changer!— The Engineering Guru (@osxreverser) March 26, 2019
However, Williams added that while the Ghidra update was an overall positive, the vulnerabilities found might not have been "that big of a deal" anyway.
"It is exceedingly rare that reverse-engineers run this sort of software on production machines," Williams said. "Exploitation of any of the vulnerabilities would have been extremely difficult in any case."