Pierluigi Paganini March 06, 2019

The NSA released the Ghidra, a multi-platform reverse engineering framework that could be used to find vulnerabilities and security holes in applications.

In January 2019, the National Security Agency (NSA) announced the release at the RSA Conference of the free reverse engineering framework GHIDRA.

GHIDRA is a multi-platform reverse engineering framework that runs on major OSs (Windows, macOS, and Linux).

The framework was first mentioned in the CIA Vault 7 dump that was leaked in 2017. WikiLeaks obtained thousands of files allegedly originating from a CIA high-security network that details CIA hacking techniques, tools, and capabilities. Digging in the huge trove of files, it is possible to find also information about the GHIDRA, a Java-based engineering tool.

Now the NSA has released the suite Ghidra that could be used to find vulnerabilities and security holes in applications.

Ghidra is Apache 2.0-licensed and requires a Java runtime, it is available
for download here. Of course, people fear the US Agency may have introduced a backdoor in the suite, but the NSA excluded it.

The platform was presented at the RSA Conference in San Francisco on Tuesday by Rob Joyce, former head of the NSA’s elite hacking team and now White House cybersecurity coordinator,

Joyce has presented the code-analysis suite, he remarked the absence of backdoors.

“There is no backdoor in Ghidra,” he announced. “This is the last community you want to release something out to with a backdoor installed, to people who hunt for this stuff to tear apart.”

The popular expert Matthew “HackerFantastic” Hickey, cofounder of British security shop Hacker House, noticed something of strange.

Hickey told The Register that when you run it in debug mode the suite, it opens port 18001 to your local network that accepts and executes remote commands from any machine that can connect in. Even if the Debug mode is not activated by default, it’s something to be aware.

“This issue is, therefore, more of a bugdoor than a backdoor, and can be neutered by changing the launcher shell script so that the software listens only to debug connections from the host, rather than any machine via the network.” reported The Register.

An NSA spokesperson told The Register that the open port was to allow teams to collaborate and share information, but Hickey argues that this feature is provided by another network port.

“The shared project uses a different port, 13100, so, no, it’s not the same function. They made an error and put * instead of localhost when enabling debug mode for Ghidra,” Hickey told The Reg.

Joyce explained that Ghidra was an internal project for analyzing software, including malware.

Ghidra has 1.2 million lines of code, it allows to reverse the compiler process, decompile executable code into assembly listings and finally into approximate C code. It also allows to create a graphical representation of the control flows through functions, inspect symbols and references, identify variables, data, and such information, and more.

The suite is able to analyze code targeting x86, Arm, PowerPC, MIPS, Sparc 32/64 and a host of other processors, it can run on Windows, macOS and Linux. The code can also handle Java and Python-based plugins.

The platform also includes help files and Joyce the NSA hopes the security community can improve the suite with its contribution.

“Ghidra is out but this is not the end,” he promised. “This is a healthy ongoing development in the NSA, it’s our intent to have a GitHub repository out there. The buildable environment will come and we’ll accept contributions.”

Joyce announced that the NSA will also release an integrated debugger, a powerful emulator, and improved analysis tools.

Pierluigi Paganini

(SecurityAffairs – Ghidra, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]