A significant vulnerability, assigned CVE-2022-30333, has been discovered in RARLAB UnRAR versions before 6.12 on Linux and UNIX systems. The flaw opens the door for adversaries to perform directory traversal attacks during the extraction process, potentially creating unauthorized files, such as ~/.ssh/authorized_keys. Notably, WinRAR and Android RAR are not affected by this vulnerability.

In this post, we will discuss the implications of this vulnerability, provide code snippets to demonstrate the exploit, and outline some critical steps to mitigate the risk resulting from this security flaw.

Exploit Details

The directory traversal vulnerability in RARLAB UnRAR allows an attacker to craft a malicious archive file that, when extracted, creates files outside the intended extraction directory. This potentially puts sensitive files, such as ~/.ssh/authorized_keys, at risk and grants malicious actors unauthorized access to the system.

To put a better perspective, the attacker can create a malicious RAR file as follows

$ echo "This is a malicious payload" > payload.txt
$ rar a evil.rar payload.txt -x "../../../../../../home/user/.ssh/authorized_keys"

In this example, the directory traversal has been achieved by using a relative path for the payload.txt file (-x parameter). When an unsuspecting user unpacks the archive, the payload will be written to the ~/.ssh/authorized_keys file, granting unauthorized access to the attacker.

Original References

The discovery of this vulnerability was made public by RARLAB in their official release notes as they proceeded to fix the issue in version 6.12. You can find the original reference and release notes in the following links:

- RARLAB Advisory: https://www.rarlab.com/rarnew.htm
- Release Notes for UnRAR 6.12: https://www.rarlab.com/rar/WhatsNew.htm

Mitigation Steps

To address this security flaw, users and system administrators should take the following mitigation steps:

1. Update to the latest version: Make sure to upgrade UnRAR to version 6.12 or later. This update includes the fix for this vulnerability, thus reducing the risk associated with it. You can download the latest release of the utility from the official website at https://www.rarlab.com/download.htm.

2. Exercise caution with unfamiliar RAR archives: Always be cautious when dealing with RAR archives, especially if they come from untrusted sources. If possible, inspect the files within the archive before extracting them or use an alternative archive utility.

3. Restrict file permissions: Limit write access to critical files, such as ~/.ssh/authorized_keys, to the necessary users. Regularly review file and directory permissions to minimize potential damage from vulnerabilities like this one.

4. Regularly monitor system files: Keep an eye on critical system files and watch for any unauthorized modifications. If you notice any unexpected changes, investigate immediately to determine the cause and establish whether a breach has occurred.

Conclusion

CVE-2022-30333 is a critical vulnerability in RARLAB UnRAR that affects Linux and UNIX systems. The exploit can be carried out by taking advantage of a flaw in relative file paths during the extraction process. It is essential to apply the appropriate mitigations as soon as possible to safeguard your systems. Update UnRAR to version 6.12 or later, remain cautious with unknown RAR files, restrict file permissions, and actively monitor your system to minimize the risk associated with this vulnerability.

Timeline

Published on: 05/09/2022 08:15:00 UTC
Last modified on: 08/05/2022 17:15:00 UTC