RARLAB WinRAR < 5.70 Beta 1 Multiple Vulnerabilities - Nessus
High Plugin ID: 122448This page contains detailed information about the RARLAB WinRAR < 5.70 Beta 1 Multiple Vulnerabilities Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 122448
Name: RARLAB WinRAR < 5.70 Beta 1 Multiple Vulnerabilities
Filename: winrar_5_70_beta_1.nasl
Vulnerability Published: 2019-02-20
This Plugin Published: 2019-02-27
Last Modification Time: 2022-04-11
Plugin Version: 1.9
Plugin Type: local
Plugin Family: Windows
Dependencies:
winrar_win_installed.nbin
Required KB Items [?]: installed_sw/RARLAB WinRAR, SMB/Registry/Enumerated
Vulnerability Information
Severity: High
Vulnerability Published: 2019-02-20
Patch Published: 2019-02-20
CVE [?]: CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, CVE-2018-20253
CPE [?]: cpe:/a:rarlab:winrar
Exploited by Malware: True
Synopsis
An application installed on the remote Windows host is affected by multiple vulnerabilities.
Description
The version of RARLAB WinRAR installed on the remote Windows host is prior to 5.70 Beta 1. It is, therefore, affected by the following vulnerabilities :
- An error exists in the file 'unacev2.dll' related to the 'filename' field, that allows a specially crafted ACE archive to overwrite files outside the destination folder. Such files could be in the system startup locations, and thus, lead to arbitrary code execution on next boot. (CVE-2018-20250)
- An input-validation error exists in the file 'unacev2.dll' related to handling ACE archives and filenames that allows path traversal pattern checking to be bypassed. (CVE-2018-20251)
- An out-of-bounds write error exists related to handling ACE and RAR file parsing that allows arbitrary code execution. (CVE-2018-20252)
- An out-of-bounds write error exists related to handling LHA and LZH file parsing that allows arbitrary code execution. (CVE-2018-20253)
Solution
Upgrade to WinRAR version 5.70 Beta 1 or later.
Public Exploits
Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Core Impact)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the RARLAB WinRAR < 5.70 Beta 1 Multiple Vulnerabilities vulnerability:
- Metasploit: exploit/windows/fileformat/winrar_ace
[RARLAB WinRAR ACE Format Input Validation Remote Code Execution] - Exploit-DB: exploits/windows/local/46756.rb
[EDB-46756: RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)] - GitHub: https://github.com/AeolusTF/CVE-2018-20250
[CVE-2018-20250] - GitHub: https://github.com/Apri1y/Red-Team-links
[CVE-2018-20250] - GitHub: https://github.com/Echocipher/Resource-list
[CVE-2018-20250] - GitHub: https://github.com/Ektoplasma/ezwinrar
[CVE-2018-20250: Python tool exploiting CVE-2018-20250 found by CheckPoint folks] - GitHub: https://github.com/HacTF/poc--exp
[CVE-2018-20250] - GitHub: https://github.com/Mr-xn/Penetration_Testing_POC
[CVE-2018-20250] - GitHub: https://github.com/STP5940/CVE-2018-20250
[CVE-2018-20250] - GitHub: https://github.com/astroicers/pentest_guide
[CVE-2018-20250] - GitHub: https://github.com/eastmountyxz/CSDNBlog-Security-Based
[CVE-2018-20250] - GitHub: https://github.com/eastmountyxz/NetworkSecuritySelf-study
[CVE-2018-20250] - GitHub: https://github.com/eastmountyxz/SystemSecurity-ReverseAnalysis
[CVE-2018-20250] - GitHub: https://github.com/hudunkey/Red-Team-links
[CVE-2018-20250] - GitHub: https://github.com/john-80/-007
[CVE-2018-20250] - GitHub: https://github.com/joydragon/Detect-CVE-2018-20250
[CVE-2018-20250: Herramienta para revisar si es que un payload tiene componente malicioso de acuerdo ...] - GitHub: https://github.com/likescam/CVE-2018-20250
[CVE-2018-20250] - GitHub: https://github.com/lp008/Hack-readme
[CVE-2018-20250] - GitHub: https://github.com/lxg5763/cve-2018-20250
[CVE-2018-20250: CVE-2018-20250漏洞利用] - GitHub: https://github.com/manulqwerty/Evil-WinRAR-Gen
[CVE-2018-20250] - GitHub: https://github.com/n4r1b/WinAce-POC
[CVE-2018-20250: Simple POC to leverage CVE-2018-20250 from inside an EXE] - GitHub: https://github.com/nmweizi/CVE-2018-20250-poc-winrar
[CVE-2018-20250] - GitHub: https://github.com/ray-cp/Vuln_Analysis
[CVE-2018-20250] - GitHub: https://github.com/slimdaddy/RedTeam
[CVE-2018-20250] - GitHub: https://github.com/tzwlhack/CVE-2018-20250
[CVE-2018-20250] - GitHub: https://github.com/wateroot/poc-exp
[CVE-2018-20250] - GitHub: https://github.com/wrlu/Vulnerabilities
[CVE-2018-20250] - GitHub: https://github.com/xiaoZ-hc/redtool
[CVE-2018-20250] - GitHub: https://github.com/ycdxsb/Exploits
[CVE-2018-20250] - GitHub: https://isc.sans.edu/forums/diary/rar+Files+and+ACE+Exploit+CVE201820250/24864/
[CVE-2018-20250] - GitHub: https://github.com/arkangel-dev/CVE-2018-20250-WINRAR-ACE-GUI
[CVE-2018-20250: CVE-2018-20250-WINRAR-ACE Exploit with a UI] - GitHub: https://github.com/blunden/UNACEV2.DLL-CVE-2018-20250
[CVE-2018-20250: A version of the binary patched to address CVE-2018-20250] - GitHub: https://github.com/DANIELVISPOBLOG/WinRar_ACE_exploit_CVE-2018-20250
[CVE-2018-20250: This program is an script developed in Python which exploit the ACE vulnerability on ...] - GitHub: https://github.com/easis/CVE-2018-20250-WinRAR-ACE
[CVE-2018-20250: Proof of concept code in C# to exploit the WinRAR ACE file extraction path ...] - GitHub: https://github.com/eastmountyxz/CVE-2018-20250-WinRAR
[CVE-2018-20250: 这资源是作者复现微软签字证书漏洞CVE-2020-0601,结合相关资源及 ...] - GitHub: https://github.com/QAX-A-Team/CVE-2018-20250
[CVE-2018-20250: 010 Editor template for ACE archive format & CVE-2018-2025[0-3]] - GitHub: https://github.com/technicaldada/hack-winrar
[CVE-2018-20250: WinRar is a very widely known software for windows. Previous version of WinRaR was a ...] - GitHub: https://github.com/zeronohacker/CVE-2018-20250
[CVE-2018-20250] - GitHub: https://github.com/WyAtu/CVE-2018-20250
[CVE-2018-20250: Exp for https://research.checkpoint.com/extracting-code-execution-from-winrar]
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS Score Source [?]: CVE-2018-20253
CVSS V2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C
CVSS Base Score: | 6.8 (Medium) |
Impact Subscore: | 6.4 |
Exploitability Subscore: | 8.6 |
CVSS Temporal Score: | 5.9 (Medium) |
CVSS Environmental Score: | NA (None) |
Modified Impact Subscore: | NA |
Overall CVSS Score: | 5.9 (Medium) |
CVSS Base Score: | 7.8 (High) |
Impact Subscore: | 5.9 |
Exploitability Subscore: | 1.8 |
CVSS Temporal Score: | 7.5 (High) |
CVSS Environmental Score: | NA (None) |
Modified Impact Subscore: | NA |
Overall CVSS Score: | 7.5 (High) |
STIG Risk Rating: Medium
Go back to menu.
Plugin Source
This is the winrar_5_70_beta_1.nasl nessus plugin source code. This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(122448);
script_version("1.9");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id(
"CVE-2018-20250",
"CVE-2018-20251",
"CVE-2018-20252",
"CVE-2018-20253"
);
script_bugtraq_id(106948);
script_xref(name:"IAVA", value:"2020-A-0007");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/08/15");
script_name(english:"RARLAB WinRAR < 5.70 Beta 1 Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote Windows host is affected by
multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The version of RARLAB WinRAR installed on the remote Windows host is
prior to 5.70 Beta 1. It is, therefore, affected by the following
vulnerabilities :
- An error exists in the file 'unacev2.dll' related to
the 'filename' field, that allows a specially crafted
ACE archive to overwrite files outside the destination
folder. Such files could be in the system startup
locations, and thus, lead to arbitrary code execution on
next boot. (CVE-2018-20250)
- An input-validation error exists in the file
'unacev2.dll' related to handling ACE archives and
filenames that allows path traversal pattern checking
to be bypassed. (CVE-2018-20251)
- An out-of-bounds write error exists related to handling
ACE and RAR file parsing that allows arbitrary code
execution. (CVE-2018-20252)
- An out-of-bounds write error exists related to handling
LHA and LZH file parsing that allows arbitrary code
execution. (CVE-2018-20253)");
script_set_attribute(attribute:"see_also", value:"https://research.checkpoint.com/extracting-code-execution-from-winrar/");
script_set_attribute(attribute:"see_also", value:"https://github.com/Ridter/acefile");
script_set_attribute(attribute:"solution", value:
"Upgrade to WinRAR version 5.70 Beta 1 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-20253");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'RARLAB WinRAR ACE Format Input Validation Remote Code Execution');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/20");
script_set_attribute(attribute:"patch_publication_date", value:"2019/02/20");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/27");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:rarlab:winrar");
script_set_attribute(attribute:"stig_severity", value:"II");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("winrar_win_installed.nbin");
script_require_keys("installed_sw/RARLAB WinRAR", "SMB/Registry/Enumerated");
exit(0);
}
include("vcf.inc");
get_kb_item_or_exit("SMB/Registry/Enumerated");
app_info = vcf::get_app_info(app:"RARLAB WinRAR", win_local:TRUE);
constraints = [
{ "fixed_version" : "5.70.beta1", fixed_display: "5.70 Beta 1" }
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/winrar_5_70_beta_1.nasl
- Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\winrar_5_70_beta_1.nasl
- Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/winrar_5_70_beta_1.nasl
Go back to menu.
How to Run
Here is how to run the RARLAB WinRAR < 5.70 Beta 1 Multiple Vulnerabilities as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select Windows plugin family.
- On the right side table select RARLAB WinRAR < 5.70 Beta 1 Multiple Vulnerabilities plugin ID 122448.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl winrar_5_70_beta_1.nasl -t <IP/HOST>
Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a winrar_5_70_beta_1.nasl -t <IP/HOST>
Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - winrar_5_70_beta_1.nasl -t <IP/HOST>
Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state winrar_5_70_beta_1.nasl -t <IP/HOST>
Go back to menu.
References
BID | SecurityFocus Bugtraq ID: IAVA | Information Assurance Vulnerability Alert:
- 2020-A-0007
- https://www.tenable.com/plugins/nessus/122448
- https://github.com/Ridter/acefile
- https://research.checkpoint.com/extracting-code-execution-from-winrar/
- https://vulners.com/nessus/WINRAR_5_70_BETA_1.NASL
- 128551 - Drupal PHPUnit/Mailchimp Code Execution Vulnerability
- 119462 - Adobe Flash Player <= 31.0.0.153 (APSB18-42)
- 104693 - FreeBSD : mediawiki -- multiple vulnerabilities (298829e2-ccce-11e7-92e4-000c29649f92)
- 119481 - FreeBSD : Flash Player -- multiple vulnerabilities (49cbe200-f92a-11e8-a89d-d43d7ef03aa6)
- 104696 - GLSA-201711-15 : PHPUnit: Remote code execution
- 119424 - Adobe Flash Player for Mac <= 31.0.0.153 (APSB18-42)
- 73414 - MS14-017: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660) (Mac OS X)
- 119489 - RHEL 6 : flash-plugin (RHSA-2018:3795)
- 71311 - MS13-096: Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution (2908005)
- 73413 - MS14-017: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660)
- 109603 - KB4103716: Windows 10 May 2018 Security Update
- 109604 - KB4103712: Windows 7 and Windows Server 2008 R2 May 2018 Security Update
- 109605 - KB4103721: Windows 10 Version 1803 and Windows Server Version 1803 May 2018 Security Update
- 109606 - KB4103723: Windows 10 Version 1607 and Windows Server 2016 May 2018 Security Update
- 109607 - KB4103715: Windows 8.1 and Windows Server 2012 R2 May 2018 Security Update
- 109608 - KB4103727: Windows 10 Version 1709 and Windows Server Version 1709 May 2018 Security Update
- 109610 - KB4103726: Windows Server 2012 May 2018 Security Update
- 109611 - KB4103731: Windows 10 Version 1703 May 2018 Security Update
- 109651 - Security Updates for Windows Server 2008 (May 2018)
- 119463 - KB4471331: Security update for Adobe Flash Player (December 2018)
- 123940 - KB4493467: Windows 8.1 and Windows Server 2012 R2 April 2019 Security Update
- 123941 - KB4493450: Windows Server 2012 April 2019 Security Update
- 123943 - KB4493470: Windows 10 Version 1607 and Windows Server 2016 April 2019 Security Update
- 123945 - KB4493448: Windows 7 and Windows Server 2008 R2 April 2019 Security Update
- 123946 - KB4493474: Windows 10 Version 1703 April 2019 Security Update
- 123947 - KB4493475: Windows 10 April 2019 Security Update
- 123948 - KB4493509: Windows 10 Version 1809 and Windows Server 2019 April 2019 Security Update
- 123951 - Security Updates for Internet Explorer (April 2019)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file winrar_5_70_beta_1.nasl version 1.9. For more plugins, visit the Nessus Plugin Library.
Go back to menu.