CVE-2019-16941 : NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary co

NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document. This occurs in Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java. An attack could start with an XML document that was originally created by DumpFunctionPatternInfoScript but then directly modified by an attacker (for example, to make a java.lang.Runtime.exec call).

Published 2019-09-28 16:15:10

Updated 2019-10-04 21:15:11

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2019-16941

NSA » Ghidra
Versions up to, including, (<=) 9.0.4
cpe:2.3:a:nsa:ghidra:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-16941

EPSS FAQ

22.86%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 95 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-16941

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-16941

CWE-91 XML Injection (aka Blind XPath Injection)

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-16941

https://github.com/NationalSecurityAgency/ghidra/issues/1090

RCE possible in Function Bit Patterns Explorer Plugin · Issue #1090 · NationalSecurityAgency/ghidra · GitHub
Exploit;Issue Tracking;Patch;Third Party Advisory
https://github.com/NationalSecurityAgency/ghidra/blob/79d8f164f8bb8b15cfb60c5d4faeb8e1c25d15ca/Ghidra/Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java#L187-L188

ghidra/FileBitPatternInfoReader.java at 79d8f164f8bb8b15cfb60c5d4faeb8e1c25d15ca · NationalSecurityAgency/ghidra · GitHub
Third Party Advisory
https://github.com/NationalSecurityAgency/ghidra/commit/a17728f8c12effa171b17a25ccfb7e7d9528c5d0

Merge remote-tracking branch 'origin/GT-3198_dev747368_fix_XMLDecoder… · NationalSecurityAgency/ghidra@a17728f · GitHub
https://twitter.com/NSAGov/status/1178812792159248385

NSA/CSS on Twitter: "#Ghidra Users: A flaw currently exists within Ghidra versions through 9.0.4. The conditions needed to exploit this flaw are rare and a patch is currently being worked. This flaw i
https://github.com/purpleracc00n/CVE-2019-16941

GitHub - purpleracc00n/CVE-2019-16941: PoC for CVE-2019-16941
https://www.symantec.com/security-center/vulnerabilities/writeup/110223?om_rssid=sr-advisories

Symantec Security Center

Jump to

Vulnerability Details : CVE-2019-16941

Products affected by CVE-2019-16941

Exploit prediction scoring system (EPSS) score for CVE-2019-16941

CVSS scores for CVE-2019-16941

CWE ids for CVE-2019-16941

References for CVE-2019-16941