HTTP: Ghidra RestoreTask.java Arbitrary Code Execution
This signature detects attempts to exploit a known vulnerability against Ghidra RestoreTask.java. A successful attack can lead to arbitrary code execution.
Extended Description
In NSA Ghidra before 9.1, path traversal can occur in RestoreTask.java (from the package ghidra.app.plugin.core.archive) via an archive with an executable file that has an initial ../ in its filename. This allows attackers to overwrite arbitrary files in scenarios where an intermediate analysis result is archived for sharing with other persons. To achieve arbitrary code execution, one approach is to overwrite some critical Ghidra modules, e.g., the decompile module.
Affected Products
Nsa ghidra
References
CVE: CVE-2019-13623
Short Name
HTTP:STC:DL:GHIDRA-RSTR-TSK-RCE
Severity
Minor
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
Arbitrary CVE-2019-13623 Code Execution Ghidra RestoreTask.java
Release Date
07/11/2022
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3509
False Positive
Unknown
Vendors
Nsa