Hacking

NSA released Ghidra, its multi-platform reverse engineering framework

The NSA released the Ghidra, a multi-platform reverse engineering framework that could be used to find vulnerabilities and security holes in applications.

In January 2019, the National Security Agency (NSA) announced the release at the RSA Conference of the free reverse engineering framework GHIDRA.

GHIDRA is a multi-platform reverse engineering framework that runs on major OSs (Windows, macOS, and Linux).

The framework was first mentioned in the CIA Vault 7 dump that was leaked in 2017. WikiLeaks obtained thousands of files allegedly originating from a CIA high-security network that details CIA hacking techniques, tools, and capabilities. Digging in the huge trove of files, it is possible to find also information about the GHIDRA, a Java-based engineering tool.

Now the NSA has released the suite Ghidra that could be used to find vulnerabilities and security holes in applications.

Ghidra is Apache 2.0-licensed and requires a Java runtime, it is available
for download here. Of course, people fear the US Agency may have introduced a backdoor in the suite, but the NSA excluded it.

The platform was presented at the RSA Conference in San Francisco on Tuesday by Rob Joyce, former head of the NSA’s elite hacking team and now White House cybersecurity coordinator,

Joyce has presented the code-analysis suite, he remarked the absence of backdoors.

“There is no backdoor in Ghidra,” he announced. “This is the last community you want to release something out to with a backdoor installed, to people who hunt for this stuff to tear apart.”

The popular expert Matthew “HackerFantastic” Hickey, cofounder of British security shop Hacker House, noticed something of strange.

Hickey told The Register that when you run it in debug mode the suite, it opens port 18001 to your local network that accepts and executes remote commands from any machine that can connect in. Even if the Debug mode is not activated by default, it’s something to be aware.

“This issue is, therefore, more of a bugdoor than a backdoor, and can be neutered by changing the launcher shell script so that the software listens only to debug connections from the host, rather than any machine via the network.” reported The Register.

An NSA spokesperson told The Register that the open port was to allow teams to collaborate and share information, but Hickey argues that this feature is provided by another network port.

“The shared project uses a different port, 13100, so, no, it’s not the same function. They made an error and put * instead of localhost when enabling debug mode for Ghidra,” Hickey told The Reg.

Joyce explained that Ghidra was an internal project for analyzing software, including malware.

Ghidra has 1.2 million lines of code, it allows to reverse the compiler process, decompile executable code into assembly listings and finally into approximate C code. It also allows to create a graphical representation of the control flows through functions, inspect symbols and references, identify variables, data, and such information, and more.

The suite is able to analyze code targeting x86, Arm, PowerPC, MIPS, Sparc 32/64 and a host of other processors, it can run on Windows, macOS and Linux. The code can also handle Java and Python-based plugins.

The platform also includes help files and Joyce the NSA hopes the security community can improve the suite with its contribution.

“Ghidra is out but this is not the end,” he promised. “This is a healthy ongoing development in the NSA, it’s our intent to have a GitHub repository out there. The buildable environment will come and we’ll accept contributions.”

Joyce announced that the NSA will also release an integrated debugger, a powerful emulator, and improved analysis tools.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Ghidra, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

6 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

12 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

24 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.