On February 28, 2024, RARLAB released an update for WinRAR, which fixed an ANSI escape injection vulnerability that I had found in the console versions of RAR and UnRAR, affecting versions 6.24 and earlier. This vulnerability, tracked as CVE-2024-33899 for Linux and Unix systems and CVE-2024-36052 for Windows, allowed attackers to spoof the file list or perform a local service attack (Linux and Unix only).
In this post, I will walk through how this vulnerability works and demonstrate a proof of concept. Although I demonstrate this on a Linux system, the same can be done on a Windows or Unix system.
If you are familiar with the command line in Linux, Unix or Windows, you may be familiar with programs like Vim and Neofetch. These programs use ANSI escape sequences to change text and background color, control the cursor and create GUI in the terminal.
Although ANSI escape sequences can be used to create cool programs for the terminal, they can also be used for malicious ones, as shown in Stok Fredrik's DEFCON lecture.
WinRAR offers console RAR and UnRAR that can be used to create and extract RAR archives. As shown in the image below, RAR files support comments, which are displayed when the contents of the archive file are listed using unrar l demo.rar.
To check if ANSI escape sequences are filtered out or not in the comment field, we can use a simple payload that displays `THIS IS GREEN` in the color green.
|
printf 'Hello \033[32mTHIS IS GREEN\033[0m\007' | rar c demo.rar |
When we run rar l demo.rar, we can see that THIS IS GREEN is printed in green. This shows that the comment field is not filtering ANSI escape sequences in the output.
The vulnerability can be exploited in many different ways, but we will use an attack suitable for WinRAR as a demonstration.
First, we put the file virus.exe into a rar file:
|
$ ls virus.exe $ rar a demo.rar virus.exe |
Then we add the following payload in the comment field:
|
printf 'Archive: demo.rar\nDetails: RAR 5\n\nAttributes Size Date Time Name\n----------- --------- ---------- ----- ---------\n-rw-r--r-- 7 2024-05-19 16:26 notvirus.pdf\n----------- --------- ---------- ----- ---------\n7 1\e[8m' | rar c demo.rar
|
This payload contains a fake list where virus.exe is replaced with notvirus.pdf. The ANSI escape sequence \e[8m is used to hide all content after the comment section in the output. The result is that the actual file entry is hidden and our fake file entry is shown. In the screenshot below, you can see a large gap between the output and the shell prompt. This gap is due to the original file list being printed but made invisible using \e[8m. Experienced command line users may find this suspicious, but less experienced users can easily be fooled.
As mentioned, there are two CVEs associated with this vulnerability due to its significantly higher severity on Linux and Unix systems compared to Windows. This is because certain ANSI escape sequences can be used to achieve a local service attack on Linux and Unix systems.
The payload below, taken from Stok Fredrik's Black Hat slides, captures all cursor movements and prints the coordinates to the terminal. This only works on Linux and Unix systems. When tested on a Kali Linux VM, the cursor coordinates were sent out to the terminal and the VM was later frozen.
|
\033[ ?1001h\033[?1002h\033[?1003h\033[?1004h\033[?1005h\033[?1006h\033[?1007h\033[?1015h\033[?10016h\ |
While there is limited research on ANSI escape sequences, it is clear that attackers with a deep understanding of ANSI escape sequences can exploit them in a creative, malicious and sometimes even annoying way.