CVE-2018-20253
Information
There is an out-of-bounds writes vulnerability during parsing of a crafted LHA / LZH archive formats.
Successful exploitation could lead to arbitrary code execution in the context of the current user.
Crash Dump:
(27c4.3a94): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Module load completed but symbols could not be loaded for WinRAR.exe
eax=00965218 ebx=00000009 ecx=000010e2 edx=00000080 esi=081a1000 edi=00093080
eip=0087a792 esp=005624c0 ebp=08198ad0 iopl=0 nv up ei pl nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210207
WinRAR+0x2a792:
0087a792 66893e mov word ptr [esi],di ds:002b:081a1000=????
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
WinRAR+2a792
0087a792 66893e mov word ptr [esi],di
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0087a792 (WinRAR+0x0002a792)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 081a1000
Attempt to write to address 081a1000
CONTEXT: 00000000 -- (.cxr 0x0;r)
eax=00965218 ebx=00000009 ecx=000010e2 edx=00000080 esi=081a1000 edi=00093080
eip=0087a792 esp=005624c0 ebp=08198ad0 iopl=0 nv up ei pl nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210207
WinRAR+0x2a792:
0087a792 66893e mov word ptr [esi],di ds:002b:081a1000=????
FAULTING_THREAD: 00003a94
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE
PROCESS_NAME: WinRAR.exe
ERROR_CODE: (NTSTATUS) 0xc0000005
EXCEPTION_CODE: (NTSTATUS) 0xc0000005
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 081a1000
WRITE_ADDRESS: 081a1000
FOLLOWUP_IP:
WinRAR+2a792
0087a792 66893e mov word ptr [esi],di
NTGLOBALFLAG: 2000000
APPLICATION_VERIFIER_FLAGS: 0
APP: winrar.exe
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_WRITE
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE
LAST_CONTROL_TRANSFER: from 00878b15 to 0087a792
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
005624cc 00878b15 00000001 00001fff 08198ad0 WinRAR+0x2a792
005624dc 00878794 08198ad0 08198ad0 00562530 WinRAR+0x28b15
00562500 00878db8 1b2fe902 08198ad0 fffffffa WinRAR+0x28794
00562514 008bbce2 08198ad0 00562508 005645a0 WinRAR+0x28db8
00563564 00000000 00000001 00000001 3df6dc00 WinRAR+0x6bce2
STACK_COMMAND: .cxr 0x0 ; kb
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: winrar+2a792
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: WinRAR
IMAGE_NAME: WinRAR.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5b2fb2d9
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_WinRAR.exe!Unknown
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_winrar+2a792
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_winrar.exe!unknown
FAILURE_ID_HASH: {5e5203f1-156f-bdef-b7b5-f0867771fc94}
PoC
there is a file name poc.lha
in order to inspect the crash, you should enable PageHeap option in GFlags.exe
you can extract the file using the WinRAR’s GUI or via the command line argument: “x poc.lha -kb -p1”
Attachments:
poc.lha
References:
https://research.checkpoint.com/extracting-code-execution-from-winrar/
https://www.rarlab.com/rarnew.htm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-20253