造成遠端程式碼執行的 WinRAR 絕對路徑周遊弱點 (CVE-2018-20250)

A 19-year-old vulnerability in WinRAR’s ACE file format support (CVE-2018-20250) has been identified as part of an attack in the wild.

背景說明

On February 20, researchers at Check Point Research (CPR) published a blog detailing their discovery of multiple vulnerabilities within a library used by WinRAR, a popular file compression tool, to extract ACE archives. When exploited, these vulnerabilities can lead to remote code execution. An exploit script was published to Github one day after CPR’s blog post. The 360 Threat Intelligence Center (TIC) has reportedly identified an in-the-wild sample that attempts to exploit this vulnerability.

Possibly the first malware delivered through mail to exploit WinRAR vulnerability. The backdoor is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off.https://t.co/bK0ngP2nIy

IOC:
hxxp://138.204.171.108/BxjL5iKld8.zip
138.204.171.108:443 pic.twitter.com/WpJVDaGq3D

— 360 Threat Intelligence Center (@360TIC) February 25, 2019

分析

CPR disclosed a total of four CVEs: CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, CVE-2018-20253.

CVE-2018-20250 is an absolute path traversal vulnerability in unacev2.dll, the DLL file used by WinRAR to parse ACE archives that has not been updated since 2005 (14 years ago). A specially crafted ACE archive can exploit this vulnerability to extract a file to an arbitrary path and bypass the actual destination folder. In its example, CPR is able to extract a malicious file into the Windows Startup folder.

CVE-2018-20251 is a vulnerability in how WinRAR calls a validation function when handling ACE archives. The validation function is designed to prevent the extraction of files that contain path traversal patterns. However, the value from the validation function is not returned until after files or folders have been created.

Both CVE-2018-20252 and CVE-2018-20253 are out-of-bounds write vulnerabilities during the parsing of crafted archive formats. Successful exploitation of these CVEs could lead to arbitrary code execution.

概念驗證

CPR created a proof of concept video, included in its blog post, that showcases how an ACE archive can extract a malicious file into the Windows Startup folder.

A proof of concept was also published to Github.

解決方法

WinRAR has decided to drop support for unpacking ACE archives in WinRAR 5.70 Beta 1. The current beta version is 5.70 Beta 2. WinRAR users are encouraged to upgrade to the latest beta version as soon as possible.

找出受影響的系統

A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.

取得更多資訊

• Extracting a 19-Year-Old Code Execution from WinRAR
• exp for Extracting Code Execution From Winrar (Github)
• poc file of extracting-code-execution-from-winrar (Github)
• National Vulnerability Database (NVD): CVE-2018-20250

加入 Tenable Community 的 Tenable 安全回應團隊。

深入瞭解 Tenable，這是用於全面管理新型攻擊破綻的首創 Cyber Exposure 平台。

Get a free 60-day trial of Tenable.io Vulnerability Management.