Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-6218 PoC — WinRAR 路径遍历漏洞

Source
https://github.com/ignis-sec/CVE-2025-6218
Associated Vulnerability
Title:WinRAR 路径遍历漏洞 (CVE-2025-6218)
Description:WinRAR是WinRAR公司的一款文件压缩器。该产品支持RAR、ZIP等格式文件的压缩和解压等。 WinRAR存在路径遍历漏洞,该漏洞源于处理存档文件路径不当,可能导致目录遍历和远程代码执行。
Description
A simple proof of concept for WinRAR Path Traversal | RCE | CVE-2025-6218
Readme
# CVE-2025-6218 | ZDI-CAN-27198 | ZDI-25-409 - WinRAR Path Traversal -> Remote Code Execution (RCE) 
## Proof of Concept

More information: 
* https://www.win-rar.com/singlenewsview.html?&L=0
* https://www.cvedetails.com/cve/CVE-2025-6218/
* https://www.zerodayinitiative.com/advisories/ZDI-25-409/


> RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
> 
> The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27198.

> Published 2025-06-21 00:09:03 Updated 2025-06-23 20:16:22 Source Zero Day Initiative
> 
> Vulnerability category: Directory traversal | Execute code



A very minimal and simple proof of concept for CVE-2025-6218 WinRAR path traversal vulnerability. *(Also included: my toolset for playing around with the RAR format for vulnerability testing)*

**Path traversal to RCE chain not included in the POC, but arbitrary file write to RCE on windows is trivial.** 

Create the proof of concept:
```bash
$ python3 cve-2025-6218.py
```

If you extract this archive, the test.txt will be extracted one level outside the current directory.


The issue stems from a specific conflict between how whitespaces are sanitized, how path traversals are scanned in WinRAR executable until version 7.11:

A bit simplified and cleaned up version:
```c
void file_name_check(char *a1){
  cur_filename = a1;
  j = 0;
  cur_pos = 0;
  if ( *(a1 + 4) > 0 )
  {
    offset = 0;
    while ( 1 )
    {
      if ( (cur_pos + 1) == cur_filename[2] )
        goto BREAK;
      str = cur_filename;
      if ( cur_filename[3] > 7 )
        str = *cur_filename;
      if ( str[offset + 1] == '\\' || str[offset + 1] == '/' )
      {
BREAK:
        if ( cur_pos >= 0 )
          break;
      }
LOOP_START:
      ++cur_pos;
      ++offset;
      if ( cur_pos >= *(cur_filename + 4) )
        goto LABEL_47;
    }
    while ( 1 )
    {
      if ( str[offset] != '.' )
      {
        if ( str[offset] != ' ' )
          goto LOOP_START;
      }
      if ( !cur_pos )
      {
        if ( str[offset] == ' ' )
        {
          str[offset] = '_';
          goto LOOP_START;
        }
      }
      if ( str[offset] == '.' )
      {
        if ( !cur_pos )
          goto LOOP_START;
        if ( str[offset - 1] == '\\' || str[offset - 1] == '/' )
          goto LOOP_START;
        if ( cur_pos == 2 )
        {
          if ( is_safe_character(cur_filename) )
            goto LOOP_START;
        }
        else if ( cur_pos < 1 )
        {
          goto DELETE;
        }
        if ( str[offset - 1] == '.' )
        {
          if ( cur_pos == 1 )
            goto LOOP_START;
          if ( str[offset - 2] == '\\' || str[offset - 2] == '/' || cur_pos == 3 && is_safe_character(cur_filename) )
            goto LOOP_START;
        }
      }
DELETE:
      delete_char(cur_filename, cur_pos, 1u);
      --offset;
      if ( --cur_pos < 0 )
        goto LOOP_START;
    }
  }

//...
}
```


After 7.12:
```c
void __fastcall file_name_check(char **a1){
  cur_filename = a1;
  j = 0;
  if ( *(a1 + 4) > 0 )
  {
    offset = 0;
    fname_index = 1;
    do
    {
      if ( fname_index == cur_filename[2] )
        goto HANDLE_DIR_NEXT;
      str = cur_filename;
      if ( str[offset + 1] == '\\' || str[offset + 1] == '/' )
      {
HANDLE_DIR_NEXT:
        if ( offset >= 0 )
        {
          if ( str[offset] == '.' )
            goto FILENAME_BEGINS;
          if ( str[offset] == ' ' )
          {
FILENAME_BEGINS:
            if ( str[offset] != '.' )
              goto CONT;
            if ( offset )
            {
              if ( str[offset - 1] != '\\'
                && str[offset - 1] != '/'
                && (offset != 2 || !is_safe_character(cur_filename)) )
              {
                if ( str[offset - 1] != '.' )
                  goto CONT;
                if ( offset != 1 )
                {
                  if ( str[offset - 2] != '\\'
                    && str[offset - 2] != '/'
                    && (offset != 3 || !is_safe_character(cur_filename)) )
                  {
CONT:
                    str[offset] = '_';
                  }
                }
              }
            }
          }
        }
      }
      ++j;
      ++offset;
      ++fname_index;
    }
    while ( j < *(cur_filename + 4) );
  }

//...

}
```
File Snapshot

 [4.0K]  /data/pocs/308c406328cf8f0880e50333fc7fcd7cb60ac7f5
├── [2.8K]  base.py
├── [4.0K]  blocks
│   └── [2.6K]  blocks.py
├── [ 307]  cve-2025-6218.py
├── [4.0K]  general
│   ├── [1.1K]  archive.py
│   ├── [2.2K]  blocks.py
│   └── [2.9K]  extras.py
├── [4.0K]  items
│   ├── [3.7K]  blocks.py
│   ├── [5.9K]  extras.py
│   └── [2.2K]  service.py
├── [1.6K]  rartypes.py
├── [4.6K]  README.md
├── [  82]  test.rar
└── [4.0K]  utils
    ├── [1.5K]  bytes.py
    └── [1.4K]  filetime.py

4 directories, 14 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.