Rapid7 Vulnerability & Exploit Database

RARLAB WinRAR ACE Format Input Validation Remote Code Execution

Back to Search

RARLAB WinRAR ACE Format Input Validation Remote Code Execution

Disclosed
02/05/2019
Created
04/24/2019

Description

In WinRAR versions prior to and including 5.61, there is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path. This module will attempt to extract a payload to the startup folder of the current user. It is limited such that we can only go back one folder. Therefore, for this exploit to work properly, the user must extract the supplied RAR file from one folder within the user profile folder (e.g. Desktop or Downloads). User restart is required to gain a shell.

Author(s)

  • Nadav Grossman
  • Imran E. Dawoodjee <imrandawoodjee.infosec@gmail.com>

Platform

Windows

Development

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/fileformat/winrar_ace
msf exploit(winrar_ace) > show targets
    ...targets...
msf exploit(winrar_ace) > set TARGET < target-id >
msf exploit(winrar_ace) > show options
    ...show and set options...
msf exploit(winrar_ace) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;