Description
In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.
CVSS breakdown
CVSS 3.1
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- Check Point Software Technologies Ltd. / WinRARAll versions prior and including 5.61 – All versions prior and including 5.61
References
- MISChttps://github.com/blau72/CVE-2018-20250-WinRAR-ACE
- MISChttps://research.checkpoint.com/extracting-code-execution-from-winrar/
- EXPLOIThttps://www.exploit-db.com/exploits/46552/
- MISChttp://www.securityfocus.com/bid/106948
- MISChttps://www.win-rar.com/whatsnew.html
- EXPLOIThttp://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html
- MISChttp://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace
- EXPLOIThttps://www.exploit-db.com/exploits/46756/