Submitted via IRC for TheMightyBuzzard
A vulnerability in Ghidra, the generic disassembler and decompiler released by the NSA in early March, could be exploited to execute code remotely, researchers say.
The flaw, an XML external entity (XXE) issue, was discovered in the Ghidra project loading process immediately after the tool was released.
Impacting the project open/restore, the vulnerability can be exploited by anyone able to trick a user into opening or restoring a specially crafted project, a GitHub report reveals.
To reproduce the issue, one would need to create a project, close it, then put an XXE payload in any of the XML files in the project directory. As soon as the project is opened, the payload is executed.
Now that's just embarrassing.
(Score: 5, Touché) by looorg on Thursday March 21 2019, @03:31PM (16 children)
Vulnerability or intentional Backdoor ... You didn't really believe that the tool was free did you?
(Score: 5, Touché) by fyngyrz on Thursday March 21 2019, @04:02PM (1 child)
Soylentil:
NSA:
--
You matter.
Unless you multiply yourself by the speed of light.
Then you energy.
(Score: 3, Interesting) by DannyB on Thursday March 21 2019, @04:08PM
The mantra is: given enough eyeballs, all bugs are shallow
Not all open source projects get so many eyeballs. (I am thinking the OpenSSL fork to LibreSSL)
But anything from the NSA definitely will.
Remember SELinux? Remember who contributed it to open source? Remember that it is a large number of kernel changes? Remember all the discussion about whether . . . ITS A TRAP !!!
If you eat an entire cake without cutting it, you technically only had one piece.
(Score: 2, Interesting) by realDonaldTrump on Thursday March 21 2019, @04:05PM (10 children)
My N.S.A. has two jobs, Keeping America Cyber Safe. And makeing our Foes Cyber Vulnerable. Sorry!
(Score: 5, Insightful) by DannyB on Thursday March 21 2019, @04:15PM (8 children)
Those jobs are in conflict with each other.
The tools we use to keep us safe can be used by our enemies to keep them safe. So we don't make the tools to protect ourselves widely available, because our enemy might get them -- and thus we fail to keep ourselves safe.
The tools we use to hack our enemies can be used by our enemies to hack us. So we don't make those tools, nor the vulnerabilities they exploit, widely available, because our enemy might hack us. But hackers find those same vulnerabilities -- and thus we fail to fail to keep ourselves safe. The enemies learn of these vulnerabilities, and protect against them -- and thus we fail to hack our enemy.
A conflicted set of mission directives that only a politician could conceive of, tolerate, and have the cognitive dissonance to endure. And only the NSA and spy agencies with too many secrets and too many lies to keep straight could have the proper mindset to accept such conflicted mission directives.
If you eat an entire cake without cutting it, you technically only had one piece.
(Score: 3, Insightful) by realDonaldTrump on Thursday March 21 2019, @04:44PM (2 children)
You make it sound so complicated. It's not complicated. If you're a Friend -- Saudi, Israel or Norway -- you can have our Safe Cyber. Which reports back to N.S.A. If you're a Foe -- European Union, Korea, Iran, Cuba, Venezuela, Canada -- you're getting the Unsafe Cyber. Which reports back to N.S.A.
By the way, UK, right now, is a Foe. We're waiting for you to leave E.U., maybe we can be "friends" after that. But we won't wait forever!
(Score: 3, Touché) by DannyB on Thursday March 21 2019, @05:16PM
You didn't mention which list Russia is on. Or FoxNews.
If you eat an entire cake without cutting it, you technically only had one piece.
(Score: 0) by Anonymous Coward on Friday March 22 2019, @04:55PM
With friends like that, who needs enemas?
(Score: 4, Insightful) by Thexalon on Thursday March 21 2019, @05:20PM (4 children)
The NSA and other 3-letter agencies have a consistent pattern: When the choice is between (a) our stuff's vulnerable and their stuff's vulnerable, and (b) our stuff's safe and their stuff's safe, they choose (a) every time. Their philosophy seems to be that when it comes to dealing with them getting into our stuff, the best defense is a good offense and they should be countered not by fixing the vulnerability but by breaking into the opposing computers to destroy whatever was stolen or otherwise cause damage in return.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by DannyB on Thursday March 21 2019, @05:32PM (1 child)
It could be a calculated decision.
Our stuff's vulnerable: simple collateral damage -- and better yet, the costs aren't to the government!
Their stuff's vulnerable: That's more important. Necessary to blackmail or topple governments. Spy capability necessary to trumple on people's right to speech and privacy.
If you eat an entire cake without cutting it, you technically only had one piece.
(Score: 3, Funny) by Anonymous Coward on Thursday March 21 2019, @06:04PM
Trumple. Now that's a word worthy of being added to the dictionary!
(Score: 3, Insightful) by sjames on Thursday March 21 2019, @07:21PM
A more consistent model is achieved if you consider them to be their own nation state and put the United States on their enemies list.
(Score: 0) by Anonymous Coward on Friday March 22 2019, @04:14AM
An important factor is the degree of overlap between vulnerabilities discovered by different nations.
If there is high overlap, then getting the bugs fixed is likely to secure American computers against foes. We should do it.
If there is low overlap, then getting the bugs fixed is unlikely to secure American computers against foes. Bug fixes only weaken our offense. It would be dumb to give up our offensive ability for no gain in defense.
The usual case is low overlap. This is more the case now than it was in the past, because the easy bugs are gone. It is thus a bad idea for the NSA to get the bugs fixed.
(Score: 5, Touché) by Bot on Thursday March 21 2019, @05:48PM
Your NSA? You don't own the intelligence agency, the intelligence agency owns you (no matter who you are)
Account abandoned.
(Score: 5, Funny) by DannyB on Thursday March 21 2019, @04:10PM
> You didn't really believe that the tool was free did you?
Free as in beer. (no financial cost)
Free as in speech. (freedom)
Free as in herpes. (Windows 10; or anything from the NSA.)
If you eat an entire cake without cutting it, you technically only had one piece.
(Score: 2) by ikanreed on Thursday March 21 2019, @05:52PM
It seems like the nature of the flaw isn't particularly great for compromising anyone they feel like, but requires similar levels of social engineering as your typical "look at this word.docx" packed with macros.
"Back doors" are usually more vulnerable to at-whim exploitation.
I'm not saying the NSA isn't a garbage organization that spies on americans for political ends, just that the engineering here isn't particularly good for a back door attack.
(Score: 0) by Anonymous Coward on Friday March 22 2019, @06:17AM
"Trust, but verify!"
(Score: 3, Funny) by Snotnose on Thursday March 21 2019, @03:33PM (3 children)
Is this a bug or a feature?
I came. I saw. I forgot why I came.
(Score: 4, Insightful) by DannyB on Thursday March 21 2019, @03:45PM
The choices are not mutually exclusive.
If you eat an entire cake without cutting it, you technically only had one piece.
(Score: 5, Funny) by FatPhil on Thursday March 21 2019, @03:46PM
"... abuse Java features ..."
They used Java, so ...
... yes!
(Wow, twice in two days I get to insult the mere continuing existence of Java - life is good! (hastily checks `dkpg -l | grep java` for emptiness... phew!))
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by TheFool on Thursday March 21 2019, @04:51PM
Probably just a design decision (or omission), and not really either of those things. It was an internal tool originally. Handing arbitrary project files you randomly grab from the internet probably wasn't something that ever came up. Your co-worker doing this would definitely be fired, and possibly thrown in prison depending on what they were attempting - and those co-workers are the only places you'd be seeing project files as this thing was in its first life.
(Score: 0) by Anonymous Coward on Thursday March 21 2019, @09:29PM
So let me get this straight.
You have access to someones desktop files and ability to run things. You put an executable bit of code in that? Why not just run the code if you have access to their desktop? This is the type of vulin that is closing the gate after the horses have ran out.