Ghidra Arbitrary Command Execution Vulnerability via Auto-Analysis Annotations

A vulnerability in Ghidra versions prior to 12.0.3 allows for arbitrary command execution on an analyst's machine. This issue arises from the improper handling of annotation directives in comments automatically generated during binary analysis, particularly in Mach-O files. The @execute annotation, meant for user-created comments, is also applied to these auto-generated remarks. As a result, a crafted binary can embed seemingly harmless clickable text that, when interacted with, executes commands controlled by an attacker.

Impact

Exploitation of this vulnerability leads to unauthorized execution of commands on the user's system, with potential for full compromise of the machine.

Reproduction

To reproduce this vulnerability, compile a Mach-O binary that includes CFStrings with embedded @execute annotations. After creating the binary, open it in Ghidra and allow the auto-analysis to complete. Then, navigate to the section containing the injected CFStrings, which will appear as clickable links. Clicking these links will execute the embedded commands on the analyst's machine.

Remediation

Users are advised to upgrade to Ghidra version 12.0.3 or later.