{"id":17331,"date":"2023-10-26T14:54:38","date_gmt":"2023-10-26T14:54:38","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=17331"},"modified":"2023-10-26T14:55:52","modified_gmt":"2023-10-26T14:55:52","slug":"winrar-vulnerability-ace-exploited","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/winrar-vulnerability-ace-exploited\/","title":{"rendered":"WinRAR Vulnerability Allows Arbitrary Code Execution"},"content":{"rendered":"

Over the past few weeks, Google’s Threat Analysis Group (TAG) has reported a worrying trend<\/strong>. Experts have observed government-sponsored actors from different nations exploiting this WinRAR vulnerability<\/strong> as part of their operations. The vulnerability received an index of CVE-2023-38831<\/code>. Even though a patch has since been released, many users remain vulnerable to potential attacks.<\/p>\n

WinRAR RCE Vulnerability Exploited Through a PNG File<\/h2>\n

In August 2023, RARLabs, the developer of WinRAR, released an updated version that addressed several security-related issues<\/strong>. Among these was the CVE-2023-38831<\/code> vulnerability, a logical flaw within WinRAR. This flaw allowed for the unintended expansion of temporary files when processing specially crafted archives. Combined with an idiosyncrasy in the Windows ShellExecute implementation, it posed a significant risk. The vulnerability permitted attackers to run arbitrary code<\/strong> by tricking users into opening a seemingly benign file, such as a standard PNG image, that was contained within a ZIP archive<\/a>.<\/p>\n

According to a detailed report from analysts<\/strong>, this vulnerability had already been exploited in the wild as a zero-day<\/a> by cybercriminal actors as early as April 2023. Their campaigns targeted financial traders and distributed various commodity malware families. Shortly after this revelation, proof-of-concept and exploit generators were publicly shared on GitHub<\/strong>, leading to an increase in testing activities by financially motivated and advanced persistent threat (APT) actors experimenting with CVE-2023-38831<\/code>.<\/p>\n

How does CVE-2023-38831 work?<\/h2>\n

This vulnerability hinged on the intricacies of how WinRAR<\/strong> processed archive structures. When a user double-clicked on a seemingly harmless file within WinRAR<\/a>, it would inadvertently execute a file with the same name but containing a space in its extension. This behavior was caused by a quirk in WinRAR’s file extraction logic, which could lead to the extraction of unintended files into a temporary directory<\/strong>.<\/p>\n

\"Location<\/p>\n

Furthermore, the flaw in the ShellExecute component triggered a search for valid extensions and executed the first file found with an extension matching specific criteria<\/strong>. This behavior allowed attackers to launch malicious code, even if it was not the original file the user intended to open.<\/p>\n

Notable Campaigns That Used WinRAR Exploits<\/h2>\n

The exploitation of CVE-2023-38831<\/code> was not limited to one group or country. Various threat actors seized the opportunity to launch campaigns<\/strong> using this vulnerability:<\/p>\n