Ultima modifica:
[warnings] this .rar file contains potentially unwanted software
All WinRAR versions before 6.23 are affected by a vulnerability where the attacker can disguise malware as legitimate file, by creating a specially crafted .rar archive
This malicious archive contains a legitimate looking file (such as PDF or JPG) bound with a malicious subfolder which share the same name with the legitimate file.
The content of this subfolder is executed thanks to a cmdline string, after the user opened the legitimate file by straight surfing inside the malicious archive.
In my example, the string is presented as "@Echo off start "" "%~dp0nwWenkAW.exe" start "" "%~dp0wsk.gif" where
The vulnerability has been patched by WinRAR, but there are still a lot of unpatched users. To prevent attacks you shall update your WinRAR istance, that's obvious. It looks like another mitigation is to always extract .rar archives rather than straight opening 'em.
Python PoC by Y0ung-DST https://github.com/HDCE-inc/CVE-2023-38831/blob/main/exploit.py
Testing the sample (not FUD, contains basic msfvenom code):
download poc.zip, extract poc.rar from the zip folder, then straight open the rar file to click on wsk.jpg
Open Task Manager and verify for "ApacheBench command line utility (32bit)" istance running, then kill it. This example is provided as demostration, thus AV shall be disabled, and ran in a controlled environment, like sandbox or VM.
PS. I have configured my payload to automatically grab a screenshot of the VM whatever the malicious archive is executed. I'm not sitting here 24h to wait for a reverse shell to open.
All WinRAR versions before 6.23 are affected by a vulnerability where the attacker can disguise malware as legitimate file, by creating a specially crafted .rar archive
This malicious archive contains a legitimate looking file (such as PDF or JPG) bound with a malicious subfolder which share the same name with the legitimate file.
The content of this subfolder is executed thanks to a cmdline string, after the user opened the legitimate file by straight surfing inside the malicious archive.
In my example, the string is presented as "@Echo off start "" "%~dp0nwWenkAW.exe" start "" "%~dp0wsk.gif" where
nwWenkAW.exe
is a simple msf payload and wsk.gif
is a legitimate gif (my profile picture), and "dp0" is a batch variable to expand the path for content execution. In that way, you'll have on output screen wsk.gif
and nwWenkAW.exe
running at the same time. You're finally done, your device displayed my profile picture, but in your background famous Meterpreter reverse shell is running as well.The vulnerability has been patched by WinRAR, but there are still a lot of unpatched users. To prevent attacks you shall update your WinRAR istance, that's obvious. It looks like another mitigation is to always extract .rar archives rather than straight opening 'em.
Python PoC by Y0ung-DST https://github.com/HDCE-inc/CVE-2023-38831/blob/main/exploit.py
Testing the sample (not FUD, contains basic msfvenom code):
download poc.zip, extract poc.rar from the zip folder, then straight open the rar file to click on wsk.jpg
Open Task Manager and verify for "ApacheBench command line utility (32bit)" istance running, then kill it. This example is provided as demostration, thus AV shall be disabled, and ran in a controlled environment, like sandbox or VM.
PS. I have configured my payload to automatically grab a screenshot of the VM whatever the malicious archive is executed. I'm not sitting here 24h to wait for a reverse shell to open.