Though the obvious explanation for that is that it was an intentional backdoor, that honestly looks more to me like a legitimate oversight than a backdoor. I think an actual backdoor would be a lot more subtle and clever than that. Especially since this way, absolutely anyone could exploit it (it's just Java Debug Wire Protocol).
Also, you have to explicitly run it in debug mode for this to happen, which probably only a small percentage of end users will do. Kind of seems like the equivalent of running Flask apps in debug mode, which by default will handle exceptions by showing a traceback with an interactive debugger that can be used to execute arbitrary code.
There could be some backdoors in it, but I'm leaning towards that not being an intentional one. (But I definitely could be totally wrong; you never know when it comes to intelligence agencies.)
> Kind of seems like the equivalent of running Flask apps in debug mode, which by default will handle exceptions by showing a traceback with an interactive debugger that can be used to execute arbitrary code.
As an aside, this is no longer precisely the case, though it was for quite some time.
With modern Flask (> 1.0.0), the debug server will start with a randomly generated PIN output to STDOUT when the server starts.
In turn this PIN must be entered on the web interface to execute commands.
I wonder if they run Ghidra on a remote machine and run it with some sort of command and control center to automate tasks (IE, run regular some basic automated stuff).
This makes the whole release even more interesting, I wonder if we'll get a statement on why they have that debug mode.
meowface|7 years ago
Also, you have to explicitly run it in debug mode for this to happen, which probably only a small percentage of end users will do. Kind of seems like the equivalent of running Flask apps in debug mode, which by default will handle exceptions by showing a traceback with an interactive debugger that can be used to execute arbitrary code.
There could be some backdoors in it, but I'm leaning towards that not being an intentional one. (But I definitely could be totally wrong; you never know when it comes to intelligence agencies.)
merlincorey|7 years ago
As an aside, this is no longer precisely the case, though it was for quite some time.
With modern Flask (> 1.0.0), the debug server will start with a randomly generated PIN output to STDOUT when the server starts. In turn this PIN must be entered on the web interface to execute commands.
WrtCdEvrydy|7 years ago
This makes the whole release even more interesting, I wonder if we'll get a statement on why they have that debug mode.
earenndil|7 years ago
strictnein|7 years ago
zip1234|7 years ago
paxys|7 years ago
curiousgal|7 years ago
aarong11|7 years ago