Ghidra is an open-source reverse engineering framework developed by the NSA, widely used for finding vulnerabilities in compiled software. Its server component, Ghidra Server, enables teams to collaborate on shared reverse engineering projects with centralized storage and access control.

Ghidra Server’s PKI mode is intended to authenticate users via a challenge-response protocol: the server sends a random 64-byte token, the client signs it with their private key, and the server verifies the signature against the client’s certificate. This proves the client possesses the private key corresponding to the certificate they present.

This all sounded solid, until Claude spotted a flaw in PKIAuthenticationModule.java:143-152 that looks like this:

if (sigBytes != null) {
   verify(signature)
}
// else: skip verification entirely 😬

When sigBytes is null, the verification block is skipped entirely — no exception is thrown. Execution falls through to the Distinguished Name lookup, which resolves the certificate’s subject DN to a registered username and returns it as the authenticated identity. No proof of private key possession was required.

This enables a low-privileged analyst to escalate to administrator, exfiltrate or destroy shared reverse engineering databases, and permanently rewrite repository access controls.

PoC and fix: https://github.com/califio/publications/tree/main/MADBugs/ghidra-server/.