WinRAR flaw reproduction process

0x01 Vulnerability Description

Check Point team recently broke a 19-year presence on control loopholes WinRAR, use it to get the victim's computer. Just attacker to exploit this vulnerability construct a malicious compressed file, use WinRAR extract the victim when the malicious file will trigger the vulnerability.

The vulnerability is due to the dynamic link library WinRAR used a stale UNACEV2.dllcaused by the dynamic link library to be compiled in 2006, there is no basis for protection mechanisms (ASLR, DEP, etc.). The role of dynamic link library file is processed ACE format. And when extracting ACE WinRAR file, the file name because there is no adequate filtering, it can lead to realization through the catalog, writes malicious files to any directory, and can even write files to the boot entry, leading to code execution.

0x02 vulnerability

Affected Software:

WinRAR < 5.70 Beta 1

Bandizip < = 6.2.0.0

Good pressure (compression 2345) <= 5.9.8.10907

360 Compression <= 4.0.0.1170

and many more…

0x03 reproducible vulnerability

The vulnerability of the implementation process: first create an arbitrary file, then use WinACE compress, edit filename directory traversal vulnerability to achieve, you can extract the files to any directory.

The main tool required WinACE, 010Editor.

WinACE download and install, the installation is complete a new text file, name any.

Then use WinACE compressed.

Then we download acefile.py script.

Use the command python acefile.py --headers liehu.aceto read the file header information.

According to the description of the vulnerability, the problem is found in the filename. It mainly depends on the following header bar.

Open the file with 010Editor.

We need to see the selection. Acefile analytical comparison results, and understand that individual segments corresponding to the contents.

如果要修改filename，则需要修改上面标注这几处。第一处为0x4e9a(hdr_crc),第二处为0x0044(hdr_size)，第三处为0x0025(filename的长度），以及最后一处为filename。

修改顺序是由后到前。

这里修改filename为d:\d:\liehu.txt

长度为15，对应的hex为0x000f

然后修改hdr_size，长度为46，对应的hex为0x002E。

接下来就是修改hdr_crc了，这里有一个取巧的方法。

我们再次运行命令python acefile.py --headers liehu.ace

程序中断并提示CorruptedArchiveError: header CRC failed

定位到错误的位置

这里ace_crc16(buf)的值就是ace文件0x4e9a对应的值，直接打印出该值并将该位置的值修改即可。

对应的值为63232，转换为hex为0xF700。

最后文件内容为

再次查看，可以正常解析，并看到filename已经修改成功

右键解压该文件，则会在D盘生成一个liehu.txt文件。

测试文件：https://fuping.site/files/liehu.ace

解压后会在D盘生成一个liehu.txt文件

0x04 修复建议

有两种方式

1. 升级到最新版本，WinRAR 目前版本是 5.70 Beta 1

2. 删除UNACEV2.dll文件

此时再次解压恶意文件会提示如下错误：

0x05 参考

https://research.checkpoint.com/extracting-code-execution-from-winrar/