Automate the binary vulnerability disclosure with Ghidra and Semgrep

The following tools can be used to automate processes involving vulnerability finding using static analysis methods:

A straight forward Ghidra script named Rhabdomancer finds all references to possibly unsafe API functions in a binary. From these candidate sites, auditors can backtrack to discover access points for unverified input.

Another Ghidra script, called Haruspex, can extract all of the pseudo-code produced by the Ghidra decompiler into a format that can be imported into an IDE like Visual Studio Code or analysed by static analysis software like Semgrep.

My Semgrep rules were created specifically to aid auditors in locating hotspots in C/C++ code and identifying probable problems.

Although Semgrep is a static analysis tool that operates on source code, Haruspex allows us to use its capability against closed source binaries as well.

Challenges of binary vulnerability discovery

It is now time to investigate the difficulties of binary code vulnerability discovery after learning basic foundations. Dynamic analysis and fuzzing are not discussed in this article. Let’s concentrate on static analysis instead.

Having the source code available throughout the audit is extremely helpful if it is undeniably true that your end aim is the binary. In addition to being time-consuming and frequently slower than source code analysis, binary analysis necessitates a better understanding of the target platform and compiler implementation. Access to the source code is especially helpful for static analysis chores, and both paid and unpaid solutions are available to automate some of these processes.

Semgrep is one such instrument. You may now concentrate on finding vulnerabilities after creating a C/C++ ruleset, and you can speed up binary analysis by using various techniques to apply to the pseudo-code produced by a decompiler. This is not a novel concept; other academics have lately used it in a couple of different ways. It turns out that this strategy, despite some drawbacks, is highly effective. It’s not perfect, but it does the job.

A binary bug hunting toolkit

When Marco started working with me to improve as a vulnerability researcher, he wanted to know what he was doing rather than just firing tools at target binaries without thinking. He therefore concentrated solely on manual analysis. Of course, this quickly becomes tedious, especially when dealing with huge binaries.

He created Rhabdomancer, a straightforward Ghidra script that finds all calls to possibly unsafe API functions in a binary, in order to boost his efficiency (and learn Ghidra scripting). From these candidate sites, auditors can backtrack to discover access points for unverified input. This helped us find several intriguing vulnerabilities in big binaries in a fair amount of time when combined with manual examination.

The logical next step was to extract all of the Ghidra decompiler’s output pseudo-code into a format that could be imported into an IDE like Visual Studio Code or read by static analysis tools like Semgrep. My Haruspex script performs just this. This configuration should make it easier for auditors to uncover potential vulnerabilities and pinpoint problem areas in binary code. Let’s test it out on a genuine target.

Finally, the show showtime!

Apply his toolbox now to certain recent found and reported to Zyxel ZyWALL Unified Security Gateway (USG) appliances real-world vulnerabilities.

The CVE-2022-26531 designation was given to the following memory corruption flaws in the zysh binary:

•     Buffer overflows in the “configure terminal > diagnostic” command.
•     Buffer overflow in the “debug” command.
•     Buffer overflow in the “ssh” command.
•     Format string bugs in the “extension” argument of some commands.

The zysh binary was identified as having the following command injection vulnerability (CVE-2022-26532):

•  OS command injection in the “packet-trace” command.

Take the following actions to use Rhabdomancer against the zysh binary:

• Auto analyzes our target binary with the default analyzers (at least).
• Copy the script into our “ghidra_scripts” directory.
• Open the Script Manager in Ghidra and run the script (or run it via the Tools > Rhabdomancer menu or the shortcut “Y”).
• Open Window > Comments and navigate [BAD] candidate points in different badness tiers.

OS command injection

The “raptor-command-injection” rule does not pick up on the exact case of command injection that I have described in my advisory, despite the fact that the calls to sprintf(), stpcpy(), and strcat() that create the “tcpdump” command string are highlighted by my ruleset. This vulnerability can only be found manually by comprehending the context because the affected code path is a little complicated and the injection requires abusing a GTFObins technique.

Read the full article at: https://security.humanativaspa.it/automating-binary-vulnerability-discovery-with-ghidra-and-semgrep/