Historical vulnerabilities: According to vuldb, there are not many historical vulnerabilities, and even fewer can be exploited stably.
Only two exploits are available in CISA's known exploit catalog
Affected versions: The version should be lower than 6.23, but during the recurrence, it was found that the 5.x version could not be successfully exploited.
Exploit: A zero-day vulnerability in WinRAR (known as CVE-2023-38831) has been actively exploited by cybercriminals since April 2023. For details, see: https://www.bleepingcomputer.com/ news/security/winrar-zero-day-exploited-since-april-to-hack-trading-accounts/
Tools: Process Monitor, windbg, IDA, binary analysis tools
analyze
recurrent
After downloading the github file, double-click the CVE-2023-38831-poc.rar document in the directory. The WinRAR window pops up and double-click the CLASSIFIED_DOCUMENTS.pdf file. Finally, the calculator pops up and the reproduction is successful.
File analysis
The first-level directory includes a PDF file and a directory, both named "CLASSIFIED_DOCUMENTS.pdf"
In the directory is a file named "CLASSIFIED_DOCUMENTS.pdf .cmd", which functions as the payload of the pop-up calculator.
System operation analysis
File creation analysis
After double-clicking the PDF, the WinRAR process will create two files in the following directory in Temp, namely "CLASSIFIED_DOCUMENTS.pdf" and "CLASSIFIED_DOCUMENTS.pdf .cmd" files, and the QueryDirectory function will be used to query before creating the files.
The creation operations of these two files were created by WinRAR.exe command operations at the same address.
Process operation analysis
The operation of executing cmd.exe is also created by the WinRAR.exe process. After subsequent analysis, it was found that it was created by ShellExecuteW.
Reverse analysis (base address 0x130000)
After reverse analysis, it was found that the execution of the WinRAR.exe vulnerability is mainly divided into four stages, namely RAR file parsing, file path conversion, file creation, and file execution.
The first is RAR file parsing. WinRAR.exe will extract the name list in the RAR file and save it to the global variable PathName (1) 0021a485: Apply for heap variables to be saved at the address of dword_320274 through HeapAlloc
(2) 001BE2FC: Read CVE- through ReadFile 2023-38831-poc.rar The data ending with less than 0x2000 (including the directory and file name list in the compressed file) is stored in dword_320274, and the handle is returned through the CreateFileW function (3) 00218099: Assign dword_320274 to dword_320278,
after Offset operation is performed to ensure that the complete directory or file name is extracted
(4) 002141D6: Assign dword_320278 to the MultiByteStr variable, as shown below. Function sub_214660 completes this function
(5) 0021427C: Convert MultiByteStr to wide characters and save it to PathName , as shown below, the sub_1EB9B0 function completes this function
The file path conversion operation is mainly to convert the file name saved in PathName to an absolute path. It is best to use the absolute path to create the file operation ( 1) 00211CE3: Function sub_1EFB90 completes this operation
(2) During debugging, you can clearly see that the file name is Absolute path conversion, 0x320384 is the address of the variable PathName
File creation operation (1) 001BE20E: It is mainly completed through the CreateFileW function. The created path is the data stored in the PathName variable after absolute path conversion.
The last step is to execute the operation (1) This is mainly done through SHELL32!ShellExecuteExW, but the parameters passed in are not the payload file at the end of .cmd
(2) But because there is a space at the end, ShellExecuteExW finally executes the parameters when calling CreateProcessW It is a file ending with .cmd, so that the payload will be successfully triggered, and finally the calculator will pop up.
reason
First, WinRAR extracts the directory and file name list after the binary compressed file, including a directory, a .cmd file under the directory, and a pdf file.
Afterwards convert the directory and pdf file to absolute path
Then create a temporary pdf copy in the Temp directory, but the directory will not be created.
Normally it ends here, but WinRAR will continue to parse the .cmd file in the directory, and cancel the original directory when converting the absolute path.
This will cause the .cmd file and the pdf file to be in the same path, and finally there will be spaces when ShellExecuteExW is executed, which will eventually cause the payload to be triggered.
Build and exploit
Build process: After customizing the files in the poc, create them through the py script given by the author.
Mitigation: Uninstall the old version and install 6.23 or newer version