├── README.md
├── LICENSE
└── Part-1-Overview.md


/README.md:
--------------------------------------------------------------------------------
1 | # Understanding WinRAR Code Execution Vulnerability (CVE-2023-38831)
2 | 
3 | - The Overview: [Part-1](https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/main/Part-1-Overview.md)
4 | 
5 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2023 neeraj
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Part-1-Overview.md:
--------------------------------------------------------------------------------
 1 | # Understanding WinRAR Code Execution Vulnerability: CVE-2023-38831 (Part-1)
 2 | 
 3 | On 23rd August 2023, the Group-IB Threat Intelligence Unit released a [blog](https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/)
 4 | where they identified a zero-day vulnerability in WinRAR ([CVE-2023-38831](https://nvd.nist.gov/vuln/detail/CVE-2023-38831)) being exploited by Threat Actors in the wild since April 2023, you can go through the blog for better understanding.
 5 | 
 6 | After reversing the vulnerable version of WinRAR & the weaponized ZIP archive for a few hours I was able to reproduce the WinRAR Code Execution Vulnerability (CVE-2023-38831) as shown below
 7 | 
 8 | PoC: https://twitter.com/knight0x07/status/1695146888612417913
 9 | 
10 | As seen in the PoC, when the victim opens “Invoices.pdf” from a vulnerable version of WinRAR the calculator is been spawned by exploiting the WinRAR code execution vulnerability
11 | 
12 | The Weaponized ZIP Archive requires only two things to exploit the vulnerability and execute the malicious code as shown below:
13 | 
14 | - A space after Invoices.pdf file & the folder -> **"Invoices.pdf "** (File/Folder name could be anything but should be identical for both)
15 | - The **“Invoices.pdf “** folder consists of a file with the malicious code to be executed, the file name in this case should be identical as the previous file/folder but with double extension and space at the end. (Not Necessary) ->  **“Invoices.pdf .cmd ”**
16 | - Now when the **"Invoices.pdf "** is opened from a vulnerable WinRAR, the “Invoices.pdf .cmd “ is executed by exploiting the vulnerability eventually spawning calc.exe
17 | 
18 | ![1](https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/assets/60843949/65bc8de4-d592-4f5f-be5e-d4af86628cce)
19 | 
20 | 
21 | **The following anomalies can be leveraged to detect the weaponized ZIP Archives**
22 | 
23 | **Note:** The reason for such setup of the files in the weaponized ZIP Archive will be explained in the **Part-2 of this post** where we **deep dive and reverse engineer the vulnerability & understand the working =) Stay tuned!**
24 | 
25 | Now once the **“Invoice.pdf “** is opened, the **“Invoices.pdf .cmd”** is executed from the RAR Temp folder by exploiting the Code Execution Vulnerability and then spawning calc.exe
26 | 
27 | **Process Tree:**
28 | 
29 | ![2](https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/assets/60843949/eeca2c38-1c16-400e-a636-59ddf3c2954f)
30 | 
31 | **WinRAR.exe -> “cmd.exe /c C:\Users\<user>\AppData\Local\Temp\Rar$DIa6648.25234\Invoices.pdf .cmd"**
32 | 
33 | Here the RAR Temp folder "Rar$DIa6648.25234" consists of the extracted “Invoices.pdf” and the “Invoices.pdf .cmd” (malicious script - spawning calc.exe)
34 | 
35 | **The following behaviour of WinRAR spawning cmd.exe to execute a file from the RAR Temp folder with double extension can be leveraged for detection purposes + dropping of a file (Operation: CreateFile) with double extension in the RAR Temp Folder can be detected**
36 | 
37 | --------------
38 | 
39 | **Thanks & Stay tuned for Part-2 of this post where we reverse engineer & understand the WinRAR Code Execution Vulnerability (CVE-2023-38831) in detail.**
40 | 
41 | 
42 | ~ knight0x07
43 | 
44 | 
45 | Contact: 
46 | 
47 | - Twitter: https://twitter.com/knight0x07
48 | - LinkedIn: https://www.linkedin.com/in/niraj-s
49 | - Website: https://knight0x07.github.io
50 | 


--------------------------------------------------------------------------------