CVE-2018-20250 (WinRAR UNACEV2.DLL)

Forum for analysis and discussion about malware.
Post Reply
User avatar
Xylitol
Global Moderator
Posts: 1681
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

CVE-2018-20250 (WinRAR UNACEV2.DLL)

Post by Xylitol » Fri Mar 15, 2019 2:05 pm

Extracting a 19 Year Old Code Execution from WinRAR - https://research.checkpoint.com/extract ... om-winrar/
Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250) - https://securingtomorrow.mcafee.com/oth ... 018-20250/
Possibly the first malware delivered through mail to exploit WinRAR vulnerability - https://twitter.com/360TIC/status/1099987939818299392
upgrades in winrar exploit with social engineering and encryption - https://twitter.com/360TIC/status/1100738261830397952
CVE-2018-20250 exp - https://github.com/WyAtu/CVE-2018-20250
https://www.rarlab.com/rarnew.htm wrote: Version 5.70
21. Nadav Grossman from Check Point Software Technologies informed us
about a security vulnerability in UNACEV2.DLL library.
Aforementioned vulnerability makes possible to create files
in arbitrary folders inside or outside of destination folder
when unpacking ACE archives.

WinRAR used this third party library to unpack ACE archives.
UNACEV2.DLL had not been updated since 2005 and we do not have access
to its source code. So we decided to drop ACE archive format support
to protect security of WinRAR users.

We are thankful to Check Point Software Technologies for reporting
this issue.
Samples from twitter links in attach.
https://www.virustotal.com/en/file/7871 ... 552429820/
https://www.virustotal.com/en/file/6420 ... 552149551/
and additionally: viewtopic.php?f=21&t=5453

edit: as it seem to rain samples here is a generic rule:

Code: Select all

rule CVE_2018_20250 : AceArchive UNACEV2_DLL_EXP
{
    meta:
        description = "Generic rule for hostile ACE archive using CVE-2018-20250"
        author = "xylitol@temari.fr"
        date = "2019-03-17"
        reference = "https://research.checkpoint.com/extracting-code-execution-from-winrar/"
        // May only the challenge guide you
    strings:
        $string1 = "**ACE**" ascii wide
        $string2 = "*UNREGISTERED VERSION*" ascii wide
        // $hexstring1 = C:\C:\
        $hexstring1 = {?? 3A 5C ?? 3A 5C}
        // $hexstring2 = C:\C:C:..
        $hexstring2 = {?? 3A 5C ?? 3A ?? 3A 2E}
    condition:  
         $string1 at 7 and $string2 at 31 and 1 of ($hexstring*)
}
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1681
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: CVE-2018-20250 (WinRAR UNACEV2.DLL)

Post by Xylitol » Tue Mar 19, 2019 4:36 am

so far the rule works good.
has been pulled also here https://github.com/Yara-Rules/rules/blo ... -20250.yar

Code: Select all

---------- MATCH: CVE_2018_20250 : AceArchive UNACEV2_DLL_EXP
FILE >>>>> C:/SBOX/temp/ace/0312885f07b5a028e64c6a2a440a8584c67adf2c0986e99447328c4bede4e102 - wincon.exe - bb7df04e1b0a2570657527a7e108ae23 *riskfree* (nullbytes)
FILE >>>>> C:/SBOX/temp/ace/0a8d46694dcd3c817ca507d3004366352926bed39897aa19c605bf407841605e - Dropbox.exe - febf7d5f01d8ddd584ae3b9f051f6338
FILE >>>>> C:/SBOX/temp/ace/4bde9006a960da9388d3c45cbebb52ff5015e0fbe0c4d80177b480cba8abd5a0 - Wipolicy.vbe - ad121c941fb3f4773701323a146fb2cd
FILE >>>>> C:/SBOX/temp/ace/642018f0cc2afa550f51516db2015d25f317be8dd8cdf736428dfc1e8d541909 - OfficeUpdateService.exe - 782791b7ac3daf9ab9761402f16fd407
FILE >>>>> C:/SBOX/temp/ace/a49d55cd7ca0dab2d84308d56bf3f7d6b3903135b9eccd8924ab1b695bb18d93 - WinRARBeta.exe - 81521fb7a73b70881016e99416963f2a
FILE >>>>> C:/SBOX/temp/ace/dcda4a01ab495145ba56c47ff2fe28dbd0b1088fb5c102577a75d9988e8e7203 - Update.exe - b6c12d88eeb910784d75a5e4df954001 *riskfree* (PuTTY)
FILE >>>>> C:/SBOX/temp/ace/e6e5530ed748283d4f6ef3485bfbf84ae573289ad28db0815f711dc45f448bec - hi.exe - 153115cfc536f991a5a7349d78be1772

17-03-2019:
FILE >>>>> C:/SBOX/temp/ace/551541d5a9e2418b382e331382ce1e34ddbd92f11772a5d39a4aeb36f89b315e - GoogleUpdate.exe - 35f050c384154c4ae23e02b3fce79847
FILE >>>>> C:/SBOX/temp/ace/a49d38a10fa10b5d143d7505b99072ce69b2fc55a8dcf163230e48f3defa67f2 - test.txt - *riskfree* (text file)
FILE >>>>> C:/SBOX/temp/ace/d5d2dfda3e61f26a5c6f173245131dd7c44515ea56a74fc075f614f62593586c - Discord.exe - bcc49643833a4d8545ed4145fb6fdfd2 *Njrat*
FILE >>>>> C:/SBOX/temp/ace/f3e488aff1329fbeff66e0522ecfdf62cdc5ba92affe387e39c6486dd8b29a95 - calc.js - 25a5ade2448f2c664730c2c230350cad
FILE >>>>> C:/SBOX/temp/ace/3a6cc90db63a6d09721886b6e3f795e32f355d42e8faef560349ec068a9435f1 - Telegram Desktop.exe - 36027a4abfb702107a103478f6af49be
FILE >>>>> C:/SBOX/temp/ace/6732e5c6b28db5f2282d9a9f0464f5d59f4986eeeb3647e7be149b363e267c1b - calc.exe - 10e4a1d2132ccb5c6759f038cdb6f3c9 *riskfree* (Microsoft)
FILE >>>>> C:/SBOX/temp/ace/d030001c5383878517fc32c79940223a0a55d9b0ee90f850b6f0522db9978e97 - hi.exe - fc63382fde12f938bb6845c7c85ddd98

18-03-2019:
FILE >>>>> C:/SBOX/temp/ace/4d524c271ae0e40e7526ecda9a28bc99e83f5b26d98737f0f8f6b585f05b6d22 - old.exe - 119a0fd733bc1a013b0d4399112b8626
FILE >>>>> C:/SBOX/temp/ace/1746abc840a16a95824cc92f48fa1a40a11ae72b39c26be9f5dcdada09f3762d - items.txt - *riskfree* (text file)
FILE >>>>> C:/SBOX/temp/ace/a642378765e24768fd688fc6ad1e78bee3db6ee37605cb776d0189ee41e1b0be - update.exe - b74909e14e25d2e9d1452b77f9927bf6 *bad detections* https://www.virustotal.com/en/file/55a2a99c6fa9e85c74c26704124551adb496c8f114e1bbd003430b6bf6d22e5c/analysis/1552893947/
FILE >>>>> C:/SBOX/temp/ace/fcd460859250768d96ed254ab4aec4ab2ce542e6622d731f8f9a09eb949dd93f - Integrity.exe - 98172becba685afdd109ac909e3a1085
FILE >>>>> C:/SBOX/temp/ace/2e9767932b3b5911f59f021253f12374c70fe4f26459302506d612f577517b9e - calc.exe - dead69d07bc33b762abd466fb6f53e11 *riskfree* (Microsoft)

19-03-2019:
FILE >>>>> C:/SBOX/temp/ace/af24c57468944d3d7ddd53609f4d8c959fc7529f89f6f0ce819acadabf0f37de - hi.exe - f2cd27e5a72071c0b0647858cd9eb5b6
a bit of everything, mostly RATs, ransomware also, looks like the guys of 360TIC seen it as well https://twitter.com/360tic/status/1107505406744514561

Post Reply