RARlab's UnRAR utility now has a vulnerability that, if exploited, could allow a remote attacker to execute arbitrary code on a system that relies on the binary.
Upon extracting a maliciously crafted RAR archive, a path traversal vulnerability in the Unix versions of UnRAR, identified as CVE-2022-30333, can be triggered.
Released on May 6, 2022, RarLab's version 6.12 corrected a flaw discovered on May 4 of that year. Neither Windows nor Android versions of the software are affected by this issue.
SonarSource researcher Simon Scannell said that "an attacker can create files outside of the target extraction directory" in a report released on Tuesday. Writing to a known location means that they are likely to use it in a way which will allow them to carry out arbitrary system actions."
It's important to note that this flaw affects any software that extracts untrusted archives using an unpatched version of UnRAR.
For example, a pre-authenticated remote code execution vulnerability in Zimbra collaboration suite could allow an attacker to gain complete control of an email server and use it to view or modify other internal resources on the company's network.
A symbolic link attack is at the heart of the vulnerability, which involves a RAR archive being crafted so that it contains a symlink that includes both forward slashes and backslashes (e.g., "......tmp/shell").
To be more specific, the problem lies in a function designed to convert backslashes (") to forward slashes ('/') so that a RAR archive created on Windows can be extracted on a Unix system, effectively altering the symlink to "/tmp/shell" to "../tmp/shell."
In order to take advantage of this, an attacker can write arbitrary files anywhere on the target filesystem, including creating a JSP shell in Zimbra's web directory and executing malicious commands.
Only the presence of UnRAR on the server is required for this attack to be successful, as it is required for virus scanning and spam checking of RAR archives.
Post a Comment
Your suggestions and comments are welcome