WinRAR 绝对路径遍历漏洞可导致远程代码执行 (CVE-2018-20250)
A 19-year-old vulnerability in WinRAR’s ACE file format support (CVE-2018-20250) has been identified as part of an attack in the wild.
背景
On February 20, researchers at Check Point Research (CPR) published a blog detailing their discovery of multiple vulnerabilities within a library used by WinRAR, a popular file compression tool, to extract ACE archives. When exploited, these vulnerabilities can lead to remote code execution. An exploit script was published to Github one day after CPR’s blog post. The 360 Threat Intelligence Center (TIC) has reportedly identified an in-the-wild sample that attempts to exploit this vulnerability.
Possibly the first malware delivered through mail to exploit WinRAR vulnerability. The backdoor is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off.https://t.co/bK0ngP2nIy
— 360 Threat Intelligence Center (@360TIC) February 25, 2019
IOC:
hxxp://138.204.171.108/BxjL5iKld8.zip
138.204.171.108:443 pic.twitter.com/WpJVDaGq3D
分析
CPR disclosed a total of four CVEs: CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, CVE-2018-20253.
CVE-2018-20250 is an absolute path traversal vulnerability in unacev2.dll, the DLL file used by WinRAR to parse ACE archives that has not been updated since 2005 (14 years ago). A specially crafted ACE archive can exploit this vulnerability to extract a file to an arbitrary path and bypass the actual destination folder. In its example, CPR is able to extract a malicious file into the Windows Startup folder.
CVE-2018-20251 is a vulnerability in how WinRAR calls a validation function when handling ACE archives. The validation function is designed to prevent the extraction of files that contain path traversal patterns. However, the value from the validation function is not returned until after files or folders have been created.
Both CVE-2018-20252 and CVE-2018-20253 are out-of-bounds write vulnerabilities during the parsing of crafted archive formats. Successful exploitation of these CVEs could lead to arbitrary code execution.
概念验证
CPR created a proof of concept video, included in its blog post, that showcases how an ACE archive can extract a malicious file into the Windows Startup folder.
A proof of concept was also published to Github.
解决方案
WinRAR has decided to drop support for unpacking ACE archives in WinRAR 5.70 Beta 1. The current beta version is 5.70 Beta 2. WinRAR users are encouraged to upgrade to the latest beta version as soon as possible.
识别受影响的系统
A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.
获取更多信息
- Extracting a 19-Year-Old Code Execution from WinRAR
- exp for Extracting Code Execution From Winrar (Github)
- poc file of extracting-code-execution-from-winrar (Github)
- National Vulnerability Database (NVD): CVE-2018-20250
加入 Tenable Community 中的 Tenable 安全响应团队
了解有关 Tenable 这款首创 Cyber Exposure 平台的更多信息,全面管理现代攻击面。
Get a free 60-day trial of Tenable.io Vulnerability Management.
相关文章
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
Cybersecurity Snapshot: CISA Says Midnight Blizzard Swiped U.S. Gov’t Emails During Microsoft Hack, Tells Fed Agencies To Take Immediate Action
April 12, 2024Check out CISA’s urgent call for federal agencies to protect themselves from Midnight Blizzard’s breach of Microsoft corporate emails. Plus, a new survey shows cybersecurity pros are guardedly optimistic about AI. Meanwhile, SANS pinpoints the four trends CISOs absolutely must focus on this year. And the NSA is sharing best practices for data security. And much more!
Cybersecurity Snapshot: U.S. Gov’t Unpacks AI Threat to Banks, as NCSC Urges OT Teams to Protect Cloud SCADA Systems
March 29, 2024Check out new guidance for banks on combating AI-boosted fraud. Plus, how to cut cyber risk when migrating SCADA systems to the cloud. Meanwhile, why CISA is fed up with SQLi flaws. And best practices to prevent and respond to DDoS attacks. And much more!
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
Oracle April 2024 Critical Patch Update Addresses 239 CVEs
April 17, 2024Oracle addresses 239 CVEs in its second quarterly update of 2024 with 441 patches, including 38 critical updates.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
- Vulnerability Management
- Vulnerability Scanning