-
Book Overview & Buying
-
Table Of Contents
-
Feedback & Rating

Ghidra Software Reverse Engineering for Beginners
By :

In this section, we will learn how the RCE vulnerability found in Ghidra 9.0 works, how to exploit it, and how to fix it.
The vulnerability was due to a line located in launch.bat
when running Ghidra on Windows platforms and launch.sh
when running it on Linux or macOS. The following is the line involved:
-Xrunjdwp:transport=dt_socket,server=y,suspend=${SUSPEND},address=*:${DEBUG_PORT}
The vulnerability was fixed in the second version of Ghidra 9.0.1 by replacing the asterisk (*
), which indicates all addresses are allowed to attach the debugger to Ghidra, and limiting it to localhost
:
-Xrunjdwp:transport=dt_socket,server=y,suspend=!SUSPEND!,address=!DEBUG_ADDRESS!
As you can see, the vulnerability is so evident that, paradoxically, it is likely that it went unnoticed for the same reason.
To exploit this RCE vulnerability, we set up a vulnerable machine...