来源

关联漏洞

描述

A simple proof of concept for WinRAR Path Traversal | RCE | CVE-2025-6218

介绍

# CVE-2025-6218 | ZDI-CAN-27198 | ZDI-25-409 - WinRAR Path Traversal -> Remote Code Execution (RCE) 
## Proof of Concept

More information: 
* https://www.win-rar.com/singlenewsview.html?&L=0
* https://www.cvedetails.com/cve/CVE-2025-6218/
* https://www.zerodayinitiative.com/advisories/ZDI-25-409/


> RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
> 
> The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27198.

> Published 2025-06-21 00:09:03 Updated 2025-06-23 20:16:22 Source Zero Day Initiative
> 
> Vulnerability category: Directory traversal | Execute code



A very minimal and simple proof of concept for CVE-2025-6218 WinRAR path traversal vulnerability. *(Also included: my toolset for playing around with the RAR format for vulnerability testing)*

**Path traversal to RCE chain not included in the POC, but arbitrary file write to RCE on windows is trivial.** 

Create the proof of concept:
```bash
$ python3 cve-2025-6218.py
```

If you extract this archive, the test.txt will be extracted one level outside the current directory.


The issue stems from a specific conflict between how whitespaces are sanitized, how path traversals are scanned in WinRAR executable until version 7.11:

A bit simplified and cleaned up version:
```c
void file_name_check(char *a1){
  cur_filename = a1;
  j = 0;
  cur_pos = 0;
  if ( *(a1 + 4) > 0 )
  {
    offset = 0;
    while ( 1 )
    {
      if ( (cur_pos + 1) == cur_filename[2] )
        goto BREAK;
      str = cur_filename;
      if ( cur_filename[3] > 7 )
        str = *cur_filename;
      if ( str[offset + 1] == '\\' || str[offset + 1] == '/' )
      {
BREAK:
        if ( cur_pos >= 0 )
          break;
      }
LOOP_START:
      ++cur_pos;
      ++offset;
      if ( cur_pos >= *(cur_filename + 4) )
        goto LABEL_47;
    }
    while ( 1 )
    {
      if ( str[offset] != '.' )
      {
        if ( str[offset] != ' ' )
          goto LOOP_START;
      }
      if ( !cur_pos )
      {
        if ( str[offset] == ' ' )
        {
          str[offset] = '_';
          goto LOOP_START;
        }
      }
      if ( str[offset] == '.' )
      {
        if ( !cur_pos )
          goto LOOP_START;
        if ( str[offset - 1] == '\\' || str[offset - 1] == '/' )
          goto LOOP_START;
        if ( cur_pos == 2 )
        {
          if ( is_safe_character(cur_filename) )
            goto LOOP_START;
        }
        else if ( cur_pos < 1 )
        {
          goto DELETE;
        }
        if ( str[offset - 1] == '.' )
        {
          if ( cur_pos == 1 )
            goto LOOP_START;
          if ( str[offset - 2] == '\\' || str[offset - 2] == '/' || cur_pos == 3 && is_safe_character(cur_filename) )
            goto LOOP_START;
        }
      }
DELETE:
      delete_char(cur_filename, cur_pos, 1u);
      --offset;
      if ( --cur_pos < 0 )
        goto LOOP_START;
    }
  }

//...
}
```


After 7.12:
```c
void __fastcall file_name_check(char **a1){
  cur_filename = a1;
  j = 0;
  if ( *(a1 + 4) > 0 )
  {
    offset = 0;
    fname_index = 1;
    do
    {
      if ( fname_index == cur_filename[2] )
        goto HANDLE_DIR_NEXT;
      str = cur_filename;
      if ( str[offset + 1] == '\\' || str[offset + 1] == '/' )
      {
HANDLE_DIR_NEXT:
        if ( offset >= 0 )
        {
          if ( str[offset] == '.' )
            goto FILENAME_BEGINS;
          if ( str[offset] == ' ' )
          {
FILENAME_BEGINS:
            if ( str[offset] != '.' )
              goto CONT;
            if ( offset )
            {
              if ( str[offset - 1] != '\\'
                && str[offset - 1] != '/'
                && (offset != 2 || !is_safe_character(cur_filename)) )
              {
                if ( str[offset - 1] != '.' )
                  goto CONT;
                if ( offset != 1 )
                {
                  if ( str[offset - 2] != '\\'
                    && str[offset - 2] != '/'
                    && (offset != 3 || !is_safe_character(cur_filename)) )
                  {
CONT:
                    str[offset] = '_';
                  }
                }
              }
            }
          }
        }
      }
      ++j;
      ++offset;
      ++fname_index;
    }
    while ( j < *(cur_filename + 4) );
  }

//...

}
```

文件快照

 [4.0K]  /data/pocs/308c406328cf8f0880e50333fc7fcd7cb60ac7f5
├── [2.8K]  base.py
├── [4.0K]  blocks
│   └── [2.6K]  blocks.py
├── [ 307]  cve-2025-6218.py
├── [4.0K]  general
│   ├── [1.1K]  archive.py
│   ├── [2.2K]  blocks.py
│   └── [2.9K]  extras.py
├── [4.0K]  items
│   ├── [3.7K]  blocks.py
│   ├── [5.9K]  extras.py
│   └── [2.2K]  service.py
├── [1.6K]  rartypes.py
├── [4.6K]  README.md
├── [  82]  test.rar
└── [4.0K]  utils
    ├── [1.5K]  bytes.py
    └── [1.4K]  filetime.py

4 directories, 14 files

备注