6.8
MEDIUM

CVE-2018-20250

Published: 05/02/2019 Updated: 15/03/2019
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8

Vulnerability Summary

In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Access Complexity: MEDIUM
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Vulnerability Trend

Affected Products

Vendor Product Versions
RarlabWinrar5.61

Exploits

#!/usr/bin/env python3 import os import re import zlib import binascii # The archive filename you want rar_filename = "testrar" # The evil file you want to run evil_filename = "calcexe" # The decompression path you want, such shown below target_filename = r"C:\C:C:/AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hiexe" # Other ...

Github Repositories

CVE-2018-20250-WINRAR-ACE-GUI CVE-2018-20250-WINRAR-ACE Exploit with a UI Original Code : githubcom/blau72/CVE-2018-20250-WinRAR-ACE

CVE-2018-20250-poc-winrar

Detect-CVE-2018-20250 Herramienta para revisar si es que un payload tiene componente malicioso de acuerdo a CVE-2018-20250

hack-winrar WinRar is a very widely known software for windows Previous version of WinRaR was a vulnerability which has been patched in Feb-2019 Most of the people didn't update winrar so they are vulnerable in this Absolute Path Traversal bug [CVE-2018-20250]

WinAce-POC Simple POC to leverage CVE-2018-20250 from inside an EXE To-Do Parse the ACE header file, to be able to change the destination Path (ex add C:\Users\<userName>) and fix the CRC (this way the path of the dropper wouldn't dependent on the path of the execution) Look a way to use a File Mapping as the param to ACEExtract, these way we avoid hav

ezwinrar Python tool exploiting CVE-2018-20250 found by CheckPoint folks

CVE-2018-20250-WinRAR-ACE Proof of concept code in C# to exploit the WinRAR ACE file extraction path (CVE-2018-20250) Resources researchcheckpointcom/extracting-code-execution-from-winrar/ githubcom/droe/acefile apidocroech/acefile/latest/ Dependencies InvertedTomatoCrc (you can install it with NuGet) for the checksum method You can use any other

UNACEV2DLL-CVE-2018-20250 A version of the binary patched to address CVE-2018-20250

CVE-Exp CVE,EXP,POC等的集合 这里都是从各个角落收集而来的(大部分都是github里面的),一般我都注明了出处,如有侵权,请联系我,必删

Evil-WinRAR-Generator-CVE-2018-20250- Generator of malicious Ace files for WinRAR < 570 beta 1

Evil-WinRAR-Generator Generator of malicious Ace files for WinRAR < 570 beta 1 Developed by @manulqwerty - IronHackers Usage Help: /evilWinRARpy -h Generate a malicius archive: Rar filename: evilrar Evil path: C:\C:C:/AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Evil files: calcexe , l04d3rexe Good files: hellotxt , catsjpeg /evil

WinRAR ACE vulnerability scanner for Domain Description: Script in PowerShell to detect vulnerable versions of WinRAR (related to ACE files) in a Windows domain CVEs: (CVE-2018-20250) (CVE-2018-20251) (CVE-2018-20252) (CVE-2018-20253) Considerations: Well configured WinRM on remote machines Well configured firewall rules Run the script with the Unrestricted or Bypass executio

WinAFL Original AFL code written by Michal Zalewski <lcamtuf@googlecom> Windows fork written and maintained by Ivan Fratric <ifratric@googlecom> Copyright 2016 Google Inc All Rights Reserved Licensed under the Apache License, Version 20 (the "License"); you may not use this file except in compliance with the License

Recent Articles

Critical WinRAR Flaw Found Actively Being Exploited
Threatpost • Lindsey O'Donnell • 26 Feb 2019

A critical 19-year-old WinRAR vulnerability disclosed last week has now been spotted actively being exploited in a spam campaign spreading malware.
The campaign, discovered by researchers with 360 Threat Intelligence Center, takes advantage of a path-traversal WinRAR vulnerability, which could allow bad actors to remotely execute malicious code on victims’ machines simply by persuading them to open a file.
Researchers with 350 Threat Intelligence Center on Monday said that the cam...

References