module
RARLAB WinRAR ACE Format Input Validation Remote Code Execution
| Disclosed | Created |
|---|---|
| 2019-02-05 | 2019-04-24 |
Disclosed
2019-02-05
Created
2019-04-24
Description
In WinRAR versions prior to and including 5.61, there is path traversal vulnerability
when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename
field is manipulated with specific patterns, the destination (extraction) folder is
ignored, thus treating the filename as an absolute path. This module will attempt to
extract a payload to the startup folder of the current user. It is limited such that
we can only go back one folder. Therefore, for this exploit to work properly, the user
must extract the supplied RAR file from one folder within the user profile folder
(e.g. Desktop or Downloads). User restart is required to gain a shell.
when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename
field is manipulated with specific patterns, the destination (extraction) folder is
ignored, thus treating the filename as an absolute path. This module will attempt to
extract a payload to the startup folder of the current user. It is limited such that
we can only go back one folder. Therefore, for this exploit to work properly, the user
must extract the supplied RAR file from one folder within the user profile folder
(e.g. Desktop or Downloads). User restart is required to gain a shell.
Authors
Nadav Grossman
Imran E. Dawoodjee imrandawoodjee.infosec@gmail.com
Imran E. Dawoodjee imrandawoodjee.infosec@gmail.com
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.