CVE-2018-20252
Information
There is an out-of-bounds writes vulnerability during parsing of a crafted ACE and RAR archive formats.
Successful exploitation could lead to arbitrary code execution in the context of the current user.
Crash Dump
(12c0.2204): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Module load completed but symbols could not be loaded for WinRAR.exe
eax=085283ea ebx=08529f80 ecx=7443315e edx=43412a2a esi=00009528 edi=0000002f
eip=00866dca esp=00c81210 ebp=0000315e iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
WinRAR+0x16dca:
00866dca 895008 mov dword ptr [eax+8],edx ds:002b:085283f2=????????
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
WinRAR+16dca
00866dca 895008 mov dword ptr [eax+8],edx
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00866dca (WinRAR+0x00016dca)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 085283f2
Attempt to write to address 085283f2
CONTEXT: 00000000 -- (.cxr 0x0;r)
eax=085283ea ebx=08529f80 ecx=7443315e edx=43412a2a esi=00009528 edi=0000002f
eip=00866dca esp=00c81210 ebp=0000315e iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
WinRAR+0x16dca:
00866dca 895008 mov dword ptr [eax+8],edx ds:002b:085283f2=????????
FAULTING_THREAD: 00002204
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE
PROCESS_NAME: WinRAR.exe
ERROR_CODE: (NTSTATUS) 0xc0000005
EXCEPTION_CODE: (NTSTATUS) 0xc0000005
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 085283f2
WRITE_ADDRESS: 085283f2
FOLLOWUP_IP:
WinRAR+16dca
00866dca 895008 mov dword ptr [eax+8],edx
NTGLOBALFLAG: 2000000
APPLICATION_VERIFIER_FLAGS: 0
APP: winrar.exe
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_WRITE
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_INVALID_POINTER_READ
IP_ON_HEAP: 08529f80
FRAME_ONE_INVALID: 1
LAST_CONTROL_TRANSFER: from 08529f80 to 00866dca
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
00c8120c 08529f80 000001c7 00c82258 000001c0 WinRAR+0x16dca
00c81210 00000000 00c82258 000001c0 7443315e 0x8529f80
STACK_COMMAND: .cxr 0x0 ; kb
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: winrar+16dca
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: WinRAR
IMAGE_NAME: WinRAR.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5b2fb2d9
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_WinRAR.exe!Unknown
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_INVALID_POINTER_READ_winrar+16dca
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_winrar.exe!unknown
FAILURE_ID_HASH: {5e5203f1-156f-bdef-b7b5-f0867771fc94}
PoC
there is a file name poc.rar
in order to inspect the crash, you should enable PageHeap option in GFlags.exe
you can extract the file using the WinRAR’s GUI or via the command line argument: “x poc.rar -kb -p1”
Attachments:
poc.rar
References:
https://research.checkpoint.com/extracting-code-execution-from-winrar/
https://www.rarlab.com/rarnew.htm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-20252