A Wolf in Sheep's Clothing: How Attackers Exploit CVE-2023-38831 in WinRAR

CVE-2023-38831 in the archiver WinRAR. This vulnerability is actively used by hackers in attacks on domestic companies. The report of the company BI.ZONE records information that attackers from groups Cobalt Werewolf, Mysterious Werewolf used this vulnerability to deliver a malicious payload. In this case, the vulnerability exploited a malicious archive when delivering a phishing email. Similar information is provided by researchers from Positive Technologies, who linked the activity of the ExCobalt group to the exploitation of CVE-2023-38831. Cases of exploitation of this malware vulnerability have also been recorded Agent Tesla and DarkMe. It is worth noting that according to the company Kaspersky In 2024, this vulnerability will be the third most frequently exploited by attackers in Russia and the CIS countries.

In my article, I will describe the essence of the vulnerability, demonstrate its exploitation, as well as the generated activity events. Then I will describe in detail the process of vulnerability detection and identify the main artifacts using R-Vision SIEM.

Description of vulnerability

In Windows, you can't have two files with the same name in the same directory. You also can't have a file and a directory with the same name (file test.txt and directory test.txt). But in archivers like WinRAR/7zip it is possible. In a compressed file, despite the fact that there are files with the same name, they are written in a special structure. Thus, in a ZIP/RAR file there can be two objects (files/directories) with the same name.

Is this what CVE-2023-38831 is all about? Partially yes, but there is one more nuance.

So, when there is a file and a directory with the same name in an archive file, and the file is opened by double-clicking on it (the target file), all files with the same name as the target file (including files inside the directory with the same name) are extracted. All extracted files are written to a temporary directory at the path %tmp%This behavior of WinRAR seems strange, since 7Zip does not behave this way.

Checking for a breach in the system

In practice, it is not possible to put two objects with the same name into one archive file in WinRAR. In this case, 7Zip was used to create a zip file.

For this we have a directory that contains files text1.txt And text2.txt. The size and contents of the files are different:

Next, the 7Zip CLI is used to create and add files to the archive. test.zip:

Now we have an archive containing the two files we added.

Next, we will rename the file text2.txt V text1.txt. This can be done using the flag rn at 7Zip.

As a result, we get two files with the same name in one archive. This archive can be opened, among other things, via WinRAR. You can also notice that despite the same name, one file is empty, the second has the following contents:

Now let's open a 4-byte file inside the archive by double-clicking and see what file will be opened:

You can see that WinRAR offers us to replace the existing file. This means that there is already a file with the same name, the size of which is 0 bytes (empty file). If you agree to replace the file, the empty file will be replaced with a non-empty one, and we will see the contents of the file:

What happened?

WinRAR first creates a temporary folder in the directory %tmp%and then extracts the first file text1.txt. Now in the temporary directory we have the first text1. But after that WinRAR also tries to extract the second text1.txt. Since Windows does not allow two files with the same name in the same directory, WinRAR prompts you to choose an action for this new file. If you click “Yes”, the second file will overwrite the first, and you will see the contents of the second file. WinRAR checks all the names of files and directories in the archive with the target file. If one of them has a name that matches the name of the file to be extracted (the target file), the function returns 1, i.e. extracts it too. In this case, 7-Zip simply extracts the file you want to open.

The function in the figure above compares the names of two files character by character to determine whether they are equal or not. We have two files with the same name, both called text1.txt. When it is necessary to extract a file from an archive, WinRAR checks the name of the target file with the names of all objects existing in the archive. For example, if we have five files in an archive and we want to extract one of them, WinRAR checks the name of this file with the names of the other four files.

Now, if the names of these files were the same, the function checks one more thing.

Suppose we want to extract fileA, and we have another file in the archive – fileB (which has the same name as fileA). Also in the archive there is a directory dirA with the same name as fileA in which fileB is located (thus dirA, fileA and fileB are the same names). When fileA is clicked to extract it, WinRAR checks if the name of fileA is equal to any other file or directory. If the file name is equal to fileA, it is added to the extraction list. Also, if the name of the directory dirA is equal to fileA, WinRAR checks the files in this directory with the name fileA. If any of them are equal, they are also added to the extraction list. The scheme is clearly shown in the figure:

The function first checks the file names and then checks if the fileB name contains the characters \\ (is a directory) or / (is the end of the file). If the file names are the same or fileB is a directory, the function returns 1, i.e. continues extracting. So, if we have a file or directory with a name equal to the file name to be extracted, the function returns 1, and then WinRAR extracts these files as well.

Exploitation of vulnerability

We have a file which is the main file with a space " " at the end of its name. We also have a directory with the same name as the main file and a space at the end of its name. " ". Inside the directory we have another file with the same name as the main file and a space at the end of its name " "and then with the extension .cmd. This file contains the payload.

The archive structure looks like this:

text.txt (D)  
--text.txt .cmd (F)  
text.txt (F)

The CMD file calls the calculator:

Now, when opening an archive file text1.txt (F)WinRAR compares all files in the archive to find files/directories with the same name as text1.txt (F).

Correction: during testing, you may notice different %tmp% directories, this is due to the fact that the activity was recorded within the framework of different tests.

When WinRAR compares file name text1.txt (F) with directory name text1.txt (D)it turns out that they are equal. So WinRAR continues checking the files inside the directory and finds that the file text1.txt. cmd (F) matches the target file, so it adds it to the list to extract.
An example of operation looks like this:

In this case, you can see how the files are created, the WinRAR process uses CreateFile API call to write files to a temporary directory.

Now our list of files from the archive to extract looks like this:

You can also pay attention to the generated events of creation of extracted files in %tmp% directories in Sysmon/Operational EventID 11(FileCreate):

Because after opening a legitimate file text1.txt The vulnerability also allows the command line file to be opened text1.txt .cmdthen Security events are generated as a result EventID 4688(Process Creation) and Sysmon/Operational EventID 1(Creation Process):

Why does this happen?

To understand why this happens, let's look at the documentation. Microsoft:

• If the file is saved as Foo.txtwhere the first character is an ASCII white space (0x20), it will be stored in the file system as Foo.txt (without space).

• If the file is saved as Foo.txt where the trailing characters are ASCII space (0x20), it will be stored in the file system as Foo.txt.

Based on the above, we can conclude that when saving a file, all extra spaces at the end of the file name should be removed. But now let's go further and remember what happened after we launched the files from the archive.

WinRAR will try to open the file "text1.txt "but WinRAR doesn't know how to do that. For example, if our target file was a PDF file, WinRAR doesn't know what program to use to do that, or what application is used to open text files on a particular Windows system. In such cases, applications use Windows APIs, such as ShellExecuteExW.

From the documentation Microsoft:

Функция ShellExecuteExW - выполняет операцию с указанным файлом.

ShellExecute — is a Windows API function that is used to perform various operations related to file manipulation or system interaction. It performs a specified file or operation using the default action associated with a particular file extension or application.

The function takes an argument as input. SHELLEXECUTEINFOwhich has the following structure:

In this structure we are interested in the parameters lpVerb And lpFileFrom Microsoft documentation on the IpVerb parameter:

Type: LPCTSTR

A string, called a verb, that specifies the action to perform. The available commands depend on the specific file or folder. Typically, the actions available in the context menu of an object are the available commands. This parameter can be NULL, in which case the default command is used if available. Otherwise, the “open” command is used. If no verbs are available, the system uses the first command listed in the registry. If there is no reason to restrict the action to a specific command, pass NULL to use a computed default. This is necessary in some cases, such as when specifying SEE_MASK_FLAG_NO_UI and creating an “Open With” UI when no applications are installed.

The following commands are commonly used:

• edit: Starts the editor and opens the document for editing. If lpFile is not a document file, the function will fail.

• explore: Explores the folder specified by lpFile.

• find: Initiates a search starting from the specified directory.

• open: Opens the file specified by the lpFile parameter. The file can be an executable file, a document file, or a folder.

• print: Prints the document file specified by lpFile. If lpFile is not a document file, the function fails.

• properties: Displays the properties of a file or folder.

• runas: Runs the application as an administrator. User Account Control (UAC) prompts the user to agree to run the application with elevated privileges or to enter the credentials of the administrator account used to run the application.

The parameter described above is very important. It says that if the IpVerb parameter is NULL, then the default command is used if it is available. Otherwise, the command is used open.

From Microsoft documentation on the IpFile parameter:

Pointer to a null-terminated string that specifies the name of the file or object for which ShellExecuteEx will perform the action specified by the lpVerb parameter.

That is, the IpFile parameter is the path to the file used by the ShellExecuteExW function to perform the action from the IpVerb parameter.

Moreover, if you pay attention to the parameters in WinRAR, then in the function ShellExecuteExW IpVerb is NULL, while in the parameter lpFilewhich contains the path to the file being opened, will be a space character (0x20) "text1.txt "although earlier it was said about Windows handling of spaces in files. In essence, the function call ShellExecuteExW With lpFile equal "text1.txt " and is a file execution vulnerability "text1.txt .cmd"The figure shows the contents of the variables. lpFile And lpVerbyou can see that there is an appeal to "text1.txt ":

How does it happen that when you call "text1.txt " is starting "text1.txt .cmd"? As we learned earlier, due to a vulnerability in WinRAR, not only the file we want to extract is extracted, but also files that match the name. In addition, when files are placed in a temporary directory, Windows and WinRAR mechanisms convert the files by removing spaces from the end of their names. Below is a conversion table:

The vulnerability lies in the fact that when we double-click on files and they are transferred to %tmp% directory, when called ShellExecuteExW WinRAR passes unchanged file names there. And it turns out that the call goes to ShellExecuteExW("text.txt "), but since the file is in %tmp% was transformed ("text.txt"), as described in documentationthen the request goes to the file with the appropriate name – "text.txt .cmd"This is where the vulnerability lies.

A more visual example can be seen below, where we run "text.txt .cmd" without specifying the .cmd extension:

Vulnerability Conclusion

Based on the activity analysis, two vulnerabilities can be identified:

First vulnerability:

1. By default, when unpacking a file from an archive, WinRAR goes through the entire archive looking for matching file/directory names. For example, if we open a file "text.txt "and at the same time we have a directory "text.txt "in which the file is located "text.txt .cmd"then WinRAR will accept the files "text.txt " And "text.txt .cmd" as identical.

2. After this, all files that have passed validation are placed in %tmp% directory from which the launch will be performed.

Second vulnerability:

WinRAR checks for spaces at the end of a file, converting them to null characters (0x00) ("text.txt " -> "text.txt", "text.txt .cmd" -> "text.txt .cmd").

1. IN %tmp% archive converted files are transferred "text.txt", "text.txt .cmd".

2. The vulnerability is that once the files are in %tmp% directories using the API call ShellExecuteExW(), the unpacked file is accessed "text.txt " (which we double-clicked initially in the archive), but the problem is that after the transformations in %tmp% directory file changed to "text.txt" (without a space), and the file with a space remains "text.txt .cmd".

3. As a result, the ShellExecuteExW() function is called to the malicious file. "text.txt .cmd"

Activity detection

The R-Vision SIEM expertise package already has a rule that detects this activity using the rule «Запуск интерпретатора командной строки от WinRAR»Next we will analyze its operating logic.

The part of the rule's detection logic where the trigger occurs when the process is created. cmd.exe from parent process winrar.exe:

filter: !vrl |
  .dvendor == "Microsoft" &&
  includes(["1", "4688"], .externalId)
  
aliases:
  cmd_exec:
    filter: !vrl |
      flag = false
      sproc = downcase(to_string(.sproc) ?? "-")
      dproc = downcase(to_string(.dproc) ?? "-")
      if ends_with(sproc, "\\winrar.exe") && ends_with(dproc, "\\cmd.exe"){
        flag = true
      }
      flag

If the previously described detection is more general, then the R-Vision SIEM rule Эксплуатация уязвимости в WinRAR - CVE-2023-38831 allows us to identify the exploitation of CVE-2023-38831:

Part of the detection logic of the rule, where the event of creating a file in a temporary directory is filtered. It is important that the file has two extensions and a space between these extensions:

filter: !vrl |
  .dvendor == "Microsoft" &&
  .externalId == "11"
  
aliases:
  mal_file_create:
    filter: !vrl |
      flag = false
      filePath = downcase(to_string(.filePath) ?? "-")
      fileName = to_string(split(filePath, "\\\\")[-1])
      dproc = downcase(to_string(.dproc) ?? "-")
      if ends_with(dproc, "\\winrar.exe") &&
      contains(filePath, "\\\\appdata\\\\local\\\\temp\\\\rar$") &&
      match(fileName, r'\.[a-zA-Z0-9]{1,4}\s+\.(cmd|bat)$'){
        flag = true
      }
      flag

Conclusion

Based on the analysis described above, the following can be identified CVE-2023-38831 vulnerability protection recommendations:

• Install the update.
  This vulnerability affects WinRAR versions prior to 6.23. It is recommended to update WinRAR to the latest version. Regularly updating your software, browsers, and devices is an important security practice that will help protect your systems from known vulnerabilities and cyber threats.

• Be careful.
  Always be wary of messages that ask you to click a link or open an attachment.

• Adjust the settings.
  Set up email security technologies such as SPF, DKIM and DMARCto authenticate and verify the origin of incoming messages.

• Conduct monitoring and analysis.
  Having proper logging, asset visibility, and system monitoring are important components of a robust cybersecurity strategy. These measures provide visibility into the network and help identify anomalies that may indicate a security threat.

• Keep an eye out for new attack trends.
  Stay up-to-date with new trends that attackers are using to help you identify potential risks early.

In addition, the use of security solutions such as R-Vision SIEM will help to detect this activity in a timely manner and prevent further development of the attack if the CVE-2023-38831 vulnerability is exploited.

Thus, the detection logic in R-Vision SIEM rules is aimed at monitoring process creation events cmd.exe from the process winrar.exe by events Sysmon Log EventID 1 And Security EventID 4688 (for the rule «Запуск интерпретатора командной строки от WinRAR») and by events of file creation in a temporary directory with a double extension, where there will be a space between the extensions, this activity can be tracked by events Sysmon log event ID 11 (for the rule «Эксплуатация уязвимости в WinRAR — CVE-2023-38831»). Using these events in correlation rules allows us to detect vulnerability exploitation in a timely manner.

If you have any questions, I'll be happy to answer them in the comments!

Author: Ilya Efimov, cybersecurity threat research analyst at R-Vision.