来源

关联漏洞

描述

CVE-2025-6218 is a directory traversal vulnerability in WinRAR that allows an attacker to place files outside the intended extraction directory when a user extracts a specially crafted

介绍

# CVE-2025-6218-WinRAR-Directory-Traversal-RCE
CVE-2025-6218 is a directory traversal vulnerability in WinRAR that allows an attacker to place files outside the intended extraction directory when a user extracts a specially crafted .rar archive. By exploiting this flaw, an attacker can drop malicious files in sensitive locations, potentially leading to remote code execution (RCE) if the file is executed by the system or user.

---
## Poc
<img src="./poc.gif"/>
---

### Affected Versions
- **WinRAR versions ≤ 7.11** are vulnerable.
- Versions ≥ 7.12 Beta 1 include a patch to mitigate this issue.
- Always verify the version of WinRAR installed (via `WinRAR.exe --version`) .

### Why Directory Traversal Flaws Are Dangerous
Directory traversal vulnerabilities allow attackers to manipulate file paths to write files to unintended locations. In the context of WinRAR, this means a file meant to be extracted to `C:\Temp` could instead be placed in a sensitive directory like the Windows Startup folder (`C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup`). If a malicious executable or script is placed in such a location, it could run automatically, granting the attacker control over the victim's system.

### Real-World Impact
An attacker can:
- Drop a malicious script (e.g., a `.bat` file) in the Startup folder to execute code on system boot.
- Overwrite critical system files in directories like `C:\Windows\System32` to disrupt system functionality or escalate privileges.
- Deliver payloads such as ransomware, spyware, or backdoors without the user’s knowledge.
- Combine this with social engineering (e.g., tricking a user into extracting a malicious archive) to achieve RCE.

---

## 2. Root Cause Explanation

### How WinRAR Fails to Sanitize File Paths
The vulnerability stems from WinRAR's failure to properly validate and sanitize file paths stored within a `.rar` archive. When extracting files, WinRAR trusts the file path metadata in the archive without sufficiently checking for path traversal sequences like `..\` or `../../`. This allows an attacker to craft an archive where a file’s path points outside the intended extraction directory.

### How `..\..\..\` Sequences Trick the Extraction Process
- **Path Traversal Basics**: The sequence `..\` in a file path instructs the system to move up one directory level. By chaining multiple `..\` sequences (e.g., `..\..\..\..\..`), an attacker can navigate from the extraction directory (e.g., `C:\Temp\Test`) to the root of the drive (`C:\`) and then to any desired location, such as `C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup`.
- **WinRAR’s Flaw**: Vulnerable versions of WinRAR (≤ 7.11) do not block or sanitize these sequences, allowing the extraction process to place files in arbitrary locations relative to the extraction point.

### Why Files Can Land in Sensitive Locations
- **Startup Folder**: Files placed in `C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup` execute automatically when a user logs in. A malicious `.bat` or `.exe` file here can run arbitrary commands.
- **System32 or Other Sensitive Directories**: Overwriting or adding files in `C:\Windows\System32` can compromise system integrity or enable privilege escalation.
- **No User Interaction Required**: If the file is placed in an auto-executing location like the Startup folder, the payload runs without further user action after extraction.

### Visual Diagram: Intended vs. Actual Extraction Paths
```
Intended Extraction (Safe):
- User extracts archive to: C:\Temp\Test
- Archive contains file: payload.bat
- Expected result: C:\Temp\Test\payload.bat

Actual Extraction (Exploited):
- User extracts archive to: C:\Temp\Test
- Archive contains file with path: ..\..\..\..\..\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.bat
- Actual result: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.bat
```

---

## 3. Manual Exploitation Guide

This section provides **step-by-step instructions** to manually reproduce the CVE-2025-6218 vulnerability in a **safe, isolated lab environment** using a virtual machine (VM) with no network connectivity. The goal is to create a `.rar` archive that places a harmless `.bat` file in the Windows Startup folder, which launches Calculator (`calc.exe`) upon user login.

### Prerequisites
- A **virtual machine** running Windows 10 with WinRAR version ≤ 7.11 installed.
- WinRAR installed on your host machine (≤ 7.11) for creating the archive.
- A text editor (e.g., Notepad) to create the payload.
- **No network connectivity** on the VM to ensure safety.

### Step-by-Step Instructions
1. **Prepare a Test Folder**:
   - On your host machine, create a folder named `exploit_test` (e.g., `C:\exploit_test`).
   - This folder will hold the payload and folder structure for the archive.

2. **Create a Simple Payload**:
   - Open Notepad and create a new file with the following content:
     ```batch
     @echo off
     start calc.exe
     ```
   - Save the file as `payload.bat` in `C:\exploit_test`.
   - This batch file is harmless and will open the Windows Calculator when executed.

3. **Create the Folder Structure for Path Traversal**:
   - Inside `C:\exploit_test`, create a folder structure that mirrors the desired path:
     ```
     C:\exploit_test\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
     ```
     Replace `<username>` with the target user’s name on the VM (e.g., `absholi7ly`).
   - Move `payload.bat` into the `Startup` folder:
     ```
     C:\exploit_test\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.bat
     ```

4. **Craft the Malicious RAR Archive Using WinRAR**:
   - Open WinRAR (version ≤ 7.11) on your host machine.
   - Navigate to `C:\exploit_test`.
   - Select the `Users` folder (which contains the full path to `payload.bat`).
   - Right-click and select **Add to archive...**.
   - In the WinRAR dialog:
     - Set the archive name to `exploit.rar` (e.g., `C:\exploit_test\exploit.rar`).
     - Choose **RAR** as the archive format.
     - Set the **Compression method** to **Store** or **Normal**.
     - Ensure no advanced options (e.g., password protection) are enabled.
   - Click **OK** to create the archive.
   - Verify the archive contents by opening `exploit.rar` in WinRAR. You should see:
     ```
     Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.bat
     ```

5. **Transfer the Archive to the VM**:
   - Copy `exploit.rar` to a shared folder or USB drive accessible by the VM.
   - In the VM, move `exploit.rar` to the root of the `C:\` drive:
     ```
     C:\exploit.rar
     ```

6. **Extract the Archive on the VM**:
   - In the VM, open WinRAR (version ≤ 7.11).
   - Navigate to `C:\`.
   - Right-click `exploit.rar` and select **Extract Here**.
   - This should attempt to extract `payload.bat` to:
     ```
     C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.bat
     ```
     due to the directory traversal vulnerability.

7. **Verify the Exploitation**:
   - Open Windows Explorer in the VM and navigate to:
     ```
     C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
     ```
   - Check if `payload.bat` exists in this folder.
   - If it does, the directory traversal was successful.

8. **Test the Payload Execution**:
   - Log out of the current user session in the VM and log back in as `username`.
   - Alternatively, restart the VM.
   - If the exploit worked, the Windows Calculator (`calc.exe`) should launch automatically.
   - To manually test, double-click `payload.bat` in the Startup folder to confirm it opens Calculator.

---

## 4. Verification

### Checking for the Dropped Payload
- Open Windows Explorer in the VM.
- Navigate to:
  ```
  C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  ```
- Look for `payload.bat`. If it’s present, the directory traversal exploit succeeded.
- Open `payload.bat` in Notepad to verify its contents:
  ```
  @echo off
  start calc.exe
  ```

### Confirming the File Path
- Right-click `payload.bat` in the Startup folder and select **Properties**.
- Check the **Location** field to confirm it matches:
  ```
  C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  ```
- If the file is elsewhere (e.g., `C:\payload.bat` or a subfolder like `C:\Users\username\AppData\Roaming\...`), the exploit did not work as intended.

### Confirming Payload Execution
- Log out and log back in to the VM as the user `uasername`.
- Alternatively, restart the VM.
- Observe if Calculator opens automatically.
- If it doesn’t, manually double-click `payload.bat` in the Startup folder to verify it works.

---

## 5. Optional Automation Mention
For researchers looking to streamline the process, the manual steps described above can be automated using a Python script.
---

文件快照

 [4.0K]  /data/pocs/1f9a2870755045610be7b9e49b596bdebd8dfd35
├── [1.6M]  poc.gif
└── [8.9K]  README.md

0 directories, 2 files

备注