通告

RARLAB has fixed a high-severity RCE vulnerability (CVE-2023-40477) in the popular file archiver tool WinRAR.RARLAB

修复了流行的文件归档工具 WinRAR 中的一个高严重性 RCE 漏洞 （CVE-2023-40477）。

介绍

A widely used Windows-only utility, WinRAR can create and extract file archives in various compression formats (RAR, ZIP, CAB, ARJ, LZH, TAR, GZip, UUE, ISO, BZIP2, Z and 7-Zip).

WinRAR是一个广泛使用的Windows专用实用程序，可以创建和提取各种压缩格式（RAR，ZIP，CAB，ARJ，LZH，TAR，GZip，UUE，ISO，BZIP2，Z和7-Zip）的文件存档。

CVE-2023-40477 is a remote code execution vulnerability that could allow remote threat actors to execute arbitrary code on an affected WinRAR installation.

CVE-2023-40477 是一个远程代码执行漏洞，可能允许远程威胁参与者在受影响的 WinRAR 安装上执行任意代码。

“The specific flaw exists within the processing of recovery volumes. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer,” the Zero Day Initiative security advisory explains.“

在处理恢复卷时存在特定缺陷。该问题是由于缺乏对用户提供的数据的正确验证而导致的，这可能导致内存访问超过分配的缓冲区的末尾，“零日计划安全公告解释说。

The vulnerability can be exploited remotely and may allow attackers to execute code in the context of the current process, but the flaw’s CVSS score (7.8) does not single it out as critical. The main reason for this is that exploitation requires user interaction – but getting users to download and open a booby-trapped RAR file delivered via email or other means is not very difficult.

该漏洞可以被远程利用，并可能允许攻击者在当前进程的上下文中执行代码，但该漏洞的CVSS分数（7.8）并未将其列为关键漏洞。造成这种情况的主要原因是利用需要用户交互 - 但让用户下载并打开通过电子邮件或其他方式提供的诱杀RAR文件并不是很困难。

The big picture: Despite being marketed as "trialware" software, WinRAR remains one of the most popular programs for file archiving tasks. Should a significant security flaw be found, Rarlab's tool could easily be employed in malicious campaigns.

大局：尽管WinRAR作为“试用软件”销售，但它仍然是文件存档任务最受欢迎的程序之一。如果发现重大安全漏洞，Rarlab的工具很容易被用于恶意活动。

The Zero Day Initiative (ZDI) recently identified a high-severity vulnerability in WinRAR, the Windows-only application created by Eugene Roshal for managing RAR archives. This bug, labeled CVE-2023-40477, involves an improper validation of an array index during recovery volume processing. In a worst-case scenario, this flaw might be leveraged to run arbitrary (malicious) code remotely.

零日计划（ZDI）最近在WinRAR中发现了一个高严重性漏洞，WinRAR是由Eugene Roshal创建的用于管理RAR档案的仅限Windows的应用程序。此 bug 标记为 CVE-2023-40477，涉及在恢复卷处理期间对数组索引的不正确验证。在最坏的情况下，可能会利用此缺陷远程运行任意（恶意）代码。

The CVE-2023-40477 vulnerability has been assigned a severity rating of 7.8, primarily because it demands user interaction to unleash its malicious potential. The issue appears to be a typical buffer overflow problem, stemming from insufficient validation of data provided by users. This can lead to a memory access event beyond the end of an allocated buffer. As a result, attackers might exploit this to execute code in the context of the ongoing process, as warned by ZDI.

CVE-2023-40477 漏洞的严重等级为 7.8，主要是因为它需要用户交互才能释放其恶意潜力。该问题似乎是典型的缓冲区溢出问题，源于对用户提供的数据验证不足。这可能会导致内存访问事件超出分配缓冲区的末尾。因此，攻击者可能会利用这一点在正在进行的进程的上下文中执行代码，正如 ZDI 所警告的那样。

The discovery of this vulnerability is credited to "goodbyeselene." ZDI informed Rarlab of its existence in June. The security advisory's public release occurred just recently, a mere couple of weeks following Rarlab's remediation of the bug in their newest WinRAR update.

此漏洞的发现归功于“再见”。ZDI在6月通知Rarlab它的存在。安全公告的公开发布发生在最近，就在Rarlab在其最新的WinRAR更新中修复该错误仅几周后。

WinRAR 6.23, released on August 2, 2023, includes a security patch addressing "out of bounds write" occurrences in the recovery volumes processing code for the older RAR4 archive format. Rarlab recognized the research contributions of goodbyeselene and Trend Micro's ZDI, even though it took them two months to resolve this potentially perilous security gap.

WinRAR 6.23 于 2023 年 8 月 2 日发布，包含一个安全补丁，用于解决旧 RAR4 存档格式的恢复卷处理代码中出现的“越界写入”。Rarlab认可了goodbyeselene和趋势科技ZDI的研究贡献，尽管他们花了两个月的时间来解决这个潜在的危险安全漏洞。

Additional enhancements in the WinRAR 6.23 release comprise extraction functionalities for XZ archives (utilizing the ARM64 filter), enhanced security for Rar$LS* temporary file management, fixes for other security defects, advancements in file system metadata management, and more. WinRAR operates as a "trialware" product, allowing users to experiment with the software for up to 40 days. After this trial period, the software remains functional, but its advanced features become inaccessible.

WinRAR 6.23 版本中的其他增强功能包括 XZ 存档的提取功能（利用 ARM64 过滤器）、Rar$LS* 临时文件管理的增强安全性、其他安全缺陷的修复、文件系统元数据管理的进步等。WinRAR作为“试用软件”产品运行，允许用户试用该软件长达40天。在此试用期之后，该软件仍可正常运行，但其高级功能将无法访问。

With Microsoft currently piloting native support for RAR, as well as 7-Zip and GZ file formats in Windows 11, RAR archives are poised to gain even more traction in the upcoming months and years. Rarlab also offers a copyrighted yet freely accessible C++ source code for UnRAR, their command-line archive unpacking utility.

随着Microsoft目前正在试行对RAR的原生支持，以及Windows 11中的7-Zip和GZ文件格式，RAR存档有望在未来几个月和几年内获得更多关注。Rarlab还为UnRAR提供了一个受版权保护但可免费访问的C++源代码，UnRAR是他们的命令行存档解压缩实用程序。

What to do? 怎么办？

Easily exploitable WinRAR vulnerabilities do not surface often, but when they do, attackers take note.

容易被利用的WinRAR漏洞不会经常出现，但是当它们出现时，攻击者会注意到。

Case in point: in 2019, a WinRAR vulnerability (CVE-2018-20250) that allowed attackers to extract a malicious executable to one of the Windows Startup folder has been exploited by attackers to deliver persistent malware. Though, in that particular case, POC exploit code was publicly available.

举个例子：在2019年，一个WinRAR漏洞（CVE-2018-20250）允许攻击者将恶意可执行文件提取到Windows启动文件夹之一，攻击者利用该漏洞来传递持久性恶意软件。但是，在这种特殊情况下，POC漏洞利用代码是公开的。

RARLAB has released a security update to address CVE-2023-40477 and WinRAR users should manually update to version 6.23 as soon as possible, since the software does not have the auto-update option.

RARLAB 已发布安全更新以解决 CVE-2023-40477，WinRAR 用户应尽快手动更新到 6.23 版，因为该软件没有自动更新选项。

In general, you should not be opening any file you receive (unsolicited or not) without scanning it for malware first.

通常，您不应该在没有先扫描恶意软件的情况下打开您收到的任何文件（未经请求或非请求）。

Refer

https://www.helpnetsecurity.com/2023/08/21/cve-2023-40477

https://www.techspot.com/news/99857-winrar-latest-release-fixes-dangerous-rce-security-vulnerability.html

原文始发于微信公众号（Eonian Sharp）：[YA-16] CVE-2023-40477-WinRAR 易受到远程代码执行影响