Describe the bug
Project open/restore is susceptible to XML External Entity Expansion attacks. This can be exploited in various ways by getting someone to open/restore a project prepared by attacker.
To Reproduce
Steps to reproduce the behavior:
- Create a project, and close it.
- Put an XXE payload in any of the XML files in the project directory (see screenshot for example).
- Open the project.
- Observe your payload doing its thing.
The same concept works with archived projects (.gar files) too.
Expected behavior
The XML parser should ignore external entities. For bonus points, it should give an error/warning when they are present.
Screenshots
The following screenshot was made of a proof of concept that only issues an HTTP GET request to localhost.
Environment (please complete the following information):
- OS: Kali Linux Rolling
- JDK Version: OpenJDK 11.0.2 (11.0.2+9-Debian-3)
- Ghidra Version 9.0
Describe the bug
Project open/restore is susceptible to XML External Entity Expansion attacks. This can be exploited in various ways by getting someone to open/restore a project prepared by attacker.
To Reproduce
Steps to reproduce the behavior:
The same concept works with archived projects (.gar files) too.
Expected behavior
The XML parser should ignore external entities. For bonus points, it should give an error/warning when they are present.
Screenshots
The following screenshot was made of a proof of concept that only issues an HTTP GET request to localhost.
Environment (please complete the following information):