New UnRAR vulnerability could allow attackers to hack Zimbra webmail servers

A new security vulnerability has been disclosed in RARlab’s UnRAR utility which, if successfully exploited, could allow a remote attacker to execute arbitrary code on a system that relies on the binary.

The flaw, assigned the identifier CVE-2022-30333, relates to a path traversal vulnerability in Unix versions of UnRAR that can be triggered when extracting a maliciously crafted RAR archive.

Following the responsible disclosure on May 4, 2022, the shortcoming was corrected by RarLab as part of version 6.12 released on May 6. Other software versions, including those for Windows and Android operating systems, are not affected.

cyber security

“An attacker is able to create files outside of the target extraction directory when a victimized application or user extracts an untrusted archive,” SonarSource researcher Simon Scannell said in a report released Tuesday. “If they can write to a known location, they will likely be able to exploit it in a way that leads to the execution of arbitrary commands on the system.”

It should be pointed out that any software that uses an unpatched version of UnRAR to extract untrusted archives is affected by the flaw.

This also includes the Zimbra collaboration suite, where the vulnerability could lead to pre-authenticated remote code execution on a vulnerable instance, giving the attacker full access to a mail server and even abusing it to gain access. or overwrite other internal resources within the organization’s network.

The vulnerability, at its core, relates to a symbolic link attack in which a RAR archive is crafted such that it contains a symbolic link that is a mixture of slashes and backslashes (e.g., “.. ….tmp/ shell”) in order to bypass the current checks and extract it outside the expected directory.

cyber security

Specifically, the weakness relates to a function designed to convert backslashes (”) to forward slashes (“”) so that a RAR archive created on Windows can be extracted on a Unix system. , effectively changing the aforementioned symlink to “../../../tmp/shell”.

By leveraging this behavior, an attacker can write arbitrary files anywhere on the target filesystem, including creating a JSP shell in Zimbra’s web directory and executing malicious commands.

“The only requirement for this attack is that UnRAR be installed on the server, which is expected as it is required for virus scanning and spam checking of RAR archives,” Scannell noted.

Comments are closed.