A brand new safety vulnerability has been disclosed in RARlab’s UnRAR utility that, if efficiently exploited, may allow a distant attacker to execute arbitrary code on a system that depends on the binary.
The flaw, assigned the identifier CVE-2022-30333, pertains to a path traversal vulnerability within the Unix variations of UnRAR that may be triggered upon extracting a maliciously crafted RAR archive.
Following accountable disclosure on Might 4, 2022, the shortcoming was addressed by RarLab as a part of model 6.12 launched on Might 6. Different variations of the software program, together with these for Home windows and Android working techniques, will not be impacted.
“An attacker is ready to create recordsdata outdoors of the goal extraction listing when an utility or sufferer person extracts an untrusted archive,” SonarSource researcher Simon Scannell mentioned in a Tuesday report. “If they’ll write to a identified location, they’re possible to have the ability to leverage it in a approach resulting in the execution of arbitrary instructions on the system.”
It is value declaring that any software program that makes use of an unpatched model of UnRAR to extract untrusted archives is affected by the flaw.
This additionally contains Zimbra collaboration suite, whereby the vulnerability may result in pre-authenticated distant code execution on a susceptible occasion, giving the attacker full entry to an electronic mail server and even abuse it to entry or overwrite different inside assets throughout the group’s community.
The vulnerability, at its coronary heart, pertains to a symbolic hyperlink assault through which a RAR archive is crafted such that it incorporates a symlink that is a mixture of each ahead slashes and backslashes (e.g., “……tmp/shell”) in order to bypass present checks and extract it outdoors of the anticipated listing.
Extra particularly, the weak spot has to do with a perform that is designed to transform backslashes (”) to ahead slashes (“https://thehackernews.com/”) so {that a} RAR archive created on Home windows may be extracted on a Unix system, successfully altering the aforementioned symlink to “../../../tmp/shell.”
By profiting from this habits, an attacker can write arbitrary recordsdata anyplace on the goal filesystem, together with making a JSP shell in Zimbra’s net listing and execute malicious instructions.
“The one requirement for this assault is that UnRAR is put in on the server, which is predicted as it’s required for RAR archive virus-scanning and spam-checking,” Scannell famous.