Information

There is an out-of-bounds writes vulnerability during parsing of a crafted ACE and RAR archive formats.
Successful exploitation could lead to arbitrary code execution in the context of the current user.

Crash Dump

    (12c0.2204): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    *** ERROR: Module load completed but symbols could not be loaded for WinRAR.exe
    eax=085283ea ebx=08529f80 ecx=7443315e edx=43412a2a esi=00009528 edi=0000002f
    eip=00866dca esp=00c81210 ebp=0000315e iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210246
    WinRAR+0x16dca:
    00866dca 895008          mov     dword ptr [eax+8],edx ds:002b:085283f2=????????

    0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************

    FAULTING_IP: 
    WinRAR+16dca
    00866dca 895008          mov     dword ptr [eax+8],edx

    EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
    ExceptionAddress: 00866dca (WinRAR+0x00016dca)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000001
       Parameter[1]: 085283f2
    Attempt to write to address 085283f2

    CONTEXT:  00000000 -- (.cxr 0x0;r)
    eax=085283ea ebx=08529f80 ecx=7443315e edx=43412a2a esi=00009528 edi=0000002f
    eip=00866dca esp=00c81210 ebp=0000315e iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210246
    WinRAR+0x16dca:
    00866dca 895008          mov     dword ptr [eax+8],edx ds:002b:085283f2=????????

    FAULTING_THREAD:  00002204

    DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE

    PROCESS_NAME:  WinRAR.exe

    ERROR_CODE: (NTSTATUS) 0xc0000005

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005

    EXCEPTION_PARAMETER1:  00000001

    EXCEPTION_PARAMETER2:  085283f2

    WRITE_ADDRESS:  085283f2 

    FOLLOWUP_IP: 
    WinRAR+16dca
    00866dca 895008          mov     dword ptr [eax+8],edx

    NTGLOBALFLAG:  2000000

    APPLICATION_VERIFIER_FLAGS:  0

    APP:  winrar.exe

    PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_WRITE

    BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_INVALID_POINTER_READ

    IP_ON_HEAP:  08529f80

    FRAME_ONE_INVALID: 1

    LAST_CONTROL_TRANSFER:  from 08529f80 to 00866dca

    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    00c8120c 08529f80 000001c7 00c82258 000001c0 WinRAR+0x16dca
    00c81210 00000000 00c82258 000001c0 7443315e 0x8529f80


    STACK_COMMAND:  .cxr 0x0 ; kb

    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  winrar+16dca

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: WinRAR

    IMAGE_NAME:  WinRAR.exe

    DEBUG_FLR_IMAGE_TIMESTAMP:  5b2fb2d9

    FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_WinRAR.exe!Unknown

    BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_INVALID_POINTER_READ_winrar+16dca

    ANALYSIS_SOURCE:  UM

    FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_c0000005_winrar.exe!unknown

    FAILURE_ID_HASH:  {5e5203f1-156f-bdef-b7b5-f0867771fc94}

PoC

there is a file name poc.rar
in order to inspect the crash, you should enable PageHeap option in GFlags.exe
you can extract the file using the WinRAR’s GUI or via the command line argument: “x poc.rar -kb -p1”


Attachments:
poc.rar

References:
https://research.checkpoint.com/extracting-code-execution-from-winrar/
https://www.rarlab.com/rarnew.htm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-20252