WinRaR Remote Code Execution
Table of Contents
About WinRAR Remote Code Execution (RCE)
A high-severity vulnerability within WinRAR has been discovered. This vulnerability allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. CVE-2023-38831 was exploited in the wild from April through August 2023.
What version of WinRAR is Vulnerable?
WinRAR Version before 6.23 are vulnerable to CVE-2023-38831. To find out what version of WinRAR you are using, select the “Help” and “About WinRAR” options on your client.
How Can a Hacker Execute Malicious Code?
This vulnerability exposes acritical security weakness that allows for remote attackers to execute arbitrary code on computers where WinRAR is installed. What makes this vulnerability particularly concerning is that it necessitates user interaction to be exploited. Specifically, the user must either visit a malicious website or open a compromised file for the vulnerability to become a threat.
The root cause of this issue lies in the way WinRAR handles recovery volumes. When attempting to repair damaged or incomplete files, WinRAR fails to adequately validate user-supplied data. This oversight opens the door to a dangerous possibility: an attacker can exploit this vulnerability to trigger the execution of a malicious binary within the context of the currently running process.
An exploit of this nature is usually leveraged in the delivery of ransomware within the victim environment.
See How the Exploit Works?
We showcase how a malicious actor can disguise a file as an image to replicate this attack. Once the victim interacts with the zip file, the machine establishes a connection back to a Command and Control (C2) server. Subsequently, the C2 server undertakes the retrieval of the NTLMv2 hash. At this point, we crack the hash that unveils the victim's password, granting us access to the user's account.
- 0:00:03 – Initiating responder to listen for SMB connections to retrieve hashes.
- 0:00:12 – Opening WinRAR on the victim machine
- 0:00:14 – Clicking on what seems to be an image (.png file)
- 0:00:15 – Arbitrary code has been executed, and an authentication request has been sent to the attacker's machine.
- 0:00:20 – The hash has been retrieved on the attacker's side.
- 0:00:40 – HashCat is used to crack the NTLMv2 hash.
- 0:00:46 – NTLMv2 Hash is successfully cracked.
- 00:01:12 - The cracked password allows us to login as the victim.
How ThreatLocker Can Stop it?
ThreatLocker explicitly blocks the execution of arbitrary code as our Zero Trust framework actively denies anything that hasn't been permitted previously, allowing your endpoint to maintain a secure posture against attacks such as these. We take it further by Ringfencing™ PowerShell and CMD from interacting with other applications and the internet by default. Due to this, we can successfully stop the connection to a C2 server if a connection is attempted at any moment.