CVE-2023–38831 WinRAR Vulnerability
Overview
Vulnerability triggering is mainly divided into two links:
- When the bait file is clicked, the files in the folder with the same name are released.
- When executing a file, execute the .cmd file in the folder instead of the original file
Release file
After the user clicks the file, WinRAR will traverse the directory in the zip file, and compare the directory ->name and the clicked file name (click_name). The fourth parameter option of the comparison function (0047F790) is 0x80000006. The function will call 00496020, option as the third Three parameters are passed in, and string comparison between click_name and entry_name will be performed in 00496020.
Since the incoming comparison length is the length of click_name, comparisons like "CLASSIFIED_DOCUMENTS.pdf "
and "CLASSIFIED_DOCUMENTS.pdf \\CLASSIFIED_DOCUMENTS.pdf .cmd "
will match. Therefore, when there is a folder with the same name as the clicked file in the directory, the comparison function will return 1 to indicate a match. Subsequently, the file corresponding to the entry will be included together with the clicked file. released.
In the repair version 623beta, the option value passed into the comparison function is 0x80000002. Under this condition, the comparison function will first extract the directory names of the two parameters for comparison, and the above situation will no longer match.
The new version of the option value sets the flag for control. After the temporary directory is successfully created, the flag is set and used during the parsing process.
File execution
Take the POC in the project GitHub
After double-clicking the pdf file in the Winrar display window, WinRAR will use the function ShellExecuteExW to execute the file. The parameters passed in here are: "C:\\Users\\DELL\\AppData\\Local\\Temp\\Rar$DIa21552.1835\\CLASSIFIED_DOCUMENTS.pdf "
Due to the existence of the above bug, two files will be released in the temporary folder: CLASSIFIED_DOCUMENTS.pdf
andCLASSIFIED_DOCUMENTS.pdf .cmd
The trailing spaces of both files are removed in function 4A26B0
Since there is a space at the end of the ShellExecuteExW parameter, it will execute the second .cmd file, and the vulnerability is triggered.