Page 1 of 1

CVE-2018-20250 (WinRAR UNACEV2.DLL)

Posted: Fri Mar 15, 2019 2:05 pm
by Xylitol
Extracting a 19 Year Old Code Execution from WinRAR - https://research.checkpoint.com/extract ... om-winrar/
Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250) - https://securingtomorrow.mcafee.com/oth ... 018-20250/
Possibly the first malware delivered through mail to exploit WinRAR vulnerability - https://twitter.com/360TIC/status/1099987939818299392
upgrades in winrar exploit with social engineering and encryption - https://twitter.com/360TIC/status/1100738261830397952
CVE-2018-20250 exp - https://github.com/WyAtu/CVE-2018-20250
https://www.rarlab.com/rarnew.htm wrote: Version 5.70
21. Nadav Grossman from Check Point Software Technologies informed us
about a security vulnerability in UNACEV2.DLL library.
Aforementioned vulnerability makes possible to create files
in arbitrary folders inside or outside of destination folder
when unpacking ACE archives.

WinRAR used this third party library to unpack ACE archives.
UNACEV2.DLL had not been updated since 2005 and we do not have access
to its source code. So we decided to drop ACE archive format support
to protect security of WinRAR users.

We are thankful to Check Point Software Technologies for reporting
this issue.
Samples from twitter links in attach.
https://www.virustotal.com/en/file/7871 ... 552429820/
https://www.virustotal.com/en/file/6420 ... 552149551/
and additionally: viewtopic.php?f=21&t=5453

edit: as it seem to rain samples here is a generic rule:

Code: Select all

rule CVE_2018_20250 : AceArchive UNACEV2_DLL_EXP
{
    meta:
        description = "Generic rule for hostile ACE archive using CVE-2018-20250"
        author = "xylitol@temari.fr"
        date = "2019-03-17"
        reference = "https://research.checkpoint.com/extracting-code-execution-from-winrar/"
        // May only the challenge guide you
    strings:
        $string1 = "**ACE**" ascii wide
        $string2 = "*UNREGISTERED VERSION*" ascii wide
        // $hexstring1 = C:\C:\
        $hexstring1 = {?? 3A 5C ?? 3A 5C}
        // $hexstring2 = C:\C:C:..
        $hexstring2 = {?? 3A 5C ?? 3A ?? 3A 2E}
    condition:  
         $string1 at 7 and $string2 at 31 and 1 of ($hexstring*)
}

Re: CVE-2018-20250 (WinRAR UNACEV2.DLL)

Posted: Tue Mar 19, 2019 4:36 am
by Xylitol
so far the rule works good.
has been pulled also here https://github.com/Yara-Rules/rules/blo ... -20250.yar

Code: Select all

---------- MATCH: CVE_2018_20250 : AceArchive UNACEV2_DLL_EXP
FILE >>>>> C:/SBOX/temp/ace/0312885f07b5a028e64c6a2a440a8584c67adf2c0986e99447328c4bede4e102 - wincon.exe - bb7df04e1b0a2570657527a7e108ae23 *riskfree* (nullbytes)
FILE >>>>> C:/SBOX/temp/ace/0a8d46694dcd3c817ca507d3004366352926bed39897aa19c605bf407841605e - Dropbox.exe - febf7d5f01d8ddd584ae3b9f051f6338
FILE >>>>> C:/SBOX/temp/ace/4bde9006a960da9388d3c45cbebb52ff5015e0fbe0c4d80177b480cba8abd5a0 - Wipolicy.vbe - ad121c941fb3f4773701323a146fb2cd
FILE >>>>> C:/SBOX/temp/ace/642018f0cc2afa550f51516db2015d25f317be8dd8cdf736428dfc1e8d541909 - OfficeUpdateService.exe - 782791b7ac3daf9ab9761402f16fd407
FILE >>>>> C:/SBOX/temp/ace/a49d55cd7ca0dab2d84308d56bf3f7d6b3903135b9eccd8924ab1b695bb18d93 - WinRARBeta.exe - 81521fb7a73b70881016e99416963f2a
FILE >>>>> C:/SBOX/temp/ace/dcda4a01ab495145ba56c47ff2fe28dbd0b1088fb5c102577a75d9988e8e7203 - Update.exe - b6c12d88eeb910784d75a5e4df954001 *riskfree* (PuTTY)
FILE >>>>> C:/SBOX/temp/ace/e6e5530ed748283d4f6ef3485bfbf84ae573289ad28db0815f711dc45f448bec - hi.exe - 153115cfc536f991a5a7349d78be1772

17-03-2019:
FILE >>>>> C:/SBOX/temp/ace/551541d5a9e2418b382e331382ce1e34ddbd92f11772a5d39a4aeb36f89b315e - GoogleUpdate.exe - 35f050c384154c4ae23e02b3fce79847
FILE >>>>> C:/SBOX/temp/ace/a49d38a10fa10b5d143d7505b99072ce69b2fc55a8dcf163230e48f3defa67f2 - test.txt - *riskfree* (text file)
FILE >>>>> C:/SBOX/temp/ace/d5d2dfda3e61f26a5c6f173245131dd7c44515ea56a74fc075f614f62593586c - Discord.exe - bcc49643833a4d8545ed4145fb6fdfd2 *Njrat*
FILE >>>>> C:/SBOX/temp/ace/f3e488aff1329fbeff66e0522ecfdf62cdc5ba92affe387e39c6486dd8b29a95 - calc.js - 25a5ade2448f2c664730c2c230350cad
FILE >>>>> C:/SBOX/temp/ace/3a6cc90db63a6d09721886b6e3f795e32f355d42e8faef560349ec068a9435f1 - Telegram Desktop.exe - 36027a4abfb702107a103478f6af49be
FILE >>>>> C:/SBOX/temp/ace/6732e5c6b28db5f2282d9a9f0464f5d59f4986eeeb3647e7be149b363e267c1b - calc.exe - 10e4a1d2132ccb5c6759f038cdb6f3c9 *riskfree* (Microsoft)
FILE >>>>> C:/SBOX/temp/ace/d030001c5383878517fc32c79940223a0a55d9b0ee90f850b6f0522db9978e97 - hi.exe - fc63382fde12f938bb6845c7c85ddd98

18-03-2019:
FILE >>>>> C:/SBOX/temp/ace/4d524c271ae0e40e7526ecda9a28bc99e83f5b26d98737f0f8f6b585f05b6d22 - old.exe - 119a0fd733bc1a013b0d4399112b8626
FILE >>>>> C:/SBOX/temp/ace/1746abc840a16a95824cc92f48fa1a40a11ae72b39c26be9f5dcdada09f3762d - items.txt - *riskfree* (text file)
FILE >>>>> C:/SBOX/temp/ace/a642378765e24768fd688fc6ad1e78bee3db6ee37605cb776d0189ee41e1b0be - update.exe - b74909e14e25d2e9d1452b77f9927bf6 *bad detections* https://www.virustotal.com/en/file/55a2a99c6fa9e85c74c26704124551adb496c8f114e1bbd003430b6bf6d22e5c/analysis/1552893947/
FILE >>>>> C:/SBOX/temp/ace/fcd460859250768d96ed254ab4aec4ab2ce542e6622d731f8f9a09eb949dd93f - Integrity.exe - 98172becba685afdd109ac909e3a1085
FILE >>>>> C:/SBOX/temp/ace/2e9767932b3b5911f59f021253f12374c70fe4f26459302506d612f577517b9e - calc.exe - dead69d07bc33b762abd466fb6f53e11 *riskfree* (Microsoft)

19-03-2019:
FILE >>>>> C:/SBOX/temp/ace/af24c57468944d3d7ddd53609f4d8c959fc7529f89f6f0ce819acadabf0f37de - hi.exe - f2cd27e5a72071c0b0647858cd9eb5b6
a bit of everything, mostly RATs, ransomware also, looks like the guys of 360TIC seen it as well https://twitter.com/360tic/status/1107505406744514561

Re: CVE-2018-20250 (WinRAR UNACEV2.DLL)

Posted: Wed Mar 20, 2019 5:52 pm
by nimaarek
How to fix second file crc check's part to write a poc?

Re: CVE-2018-20250 (WinRAR UNACEV2.DLL)

Posted: Sat Mar 23, 2019 10:20 am
by Antelox
APT-C-27 (Goldmouse): Suspected Target Attack against the Middle East with WinRAR Exploit

https://ti.360.net/blog/articles/apt-c- ... xploit-en/

BR,

Antelox

Re: CVE-2018-20250 (WinRAR UNACEV2.DLL)

Posted: Tue Mar 26, 2019 5:04 pm
by Antelox
WinRAR Zero-day Abused in Multiple Campaigns

https://www.fireeye.com/blog/threat-res ... aigns.html

BR,

Antelox

Re: CVE-2018-20250 (WinRAR UNACEV2.DLL)

Posted: Mon Apr 01, 2019 1:27 am
by Xylitol
March:

Code: Select all

---------- MATCH: CVE_2018_20250 : AceArchive UNACEV2_DLL_EXP

2019-03-31:
ceeb05b114d99453df04bba0138c597f4a87b446a55baf20d9d5a3f121dc7090  SMASH_Fornite_Logs.rar
027ccb2e3874e05fbaf750b2253c4044100021741abc77f720804de4040fe3a3  sdhong_exe.rar
acc5c5092e3f7f7967f1827434e4c738e867e476c9e4ea8afc18e1e680346cc6  sdhong_bat.rar
59e91a86f54103fb2f9a939d103dce5a9336e326b3b69c23d71ab6f00965e11d  test1.rar
225ebf984b6d076d36f793c3026e01bcaf7befd8d147a3f56d0f29638fa80c8c  test1.rar
e3bc0eac10715871ade157888b9488de9bd2e2f4c31d63ff07b40f8556195e0e  test.rar
4a43bf2bcd92831a73ba524aee4d5a7c598cb23d119360007238d7d7dc9286e9  lGP6OzvF9o.rar

2019-03-30:
b51dcb4b9a6906a4cb26e1992392659e7d76e60fb57f62c312ff60d73ccaa4f3  Vajyx03oWJ.rar
b2f7da4f0a3a31ef8e4d786371e3a0f496d872a4f811de9cfeeefcae802a21af  achil.zip

2019-03-29:
c8c2b5651246fb9fbfb06ce1acf060572eb2f148a423c15eac06c317a06a39ab  report.rar
35f9ec9a75d712ed471f1643eb7e44524aa7e9cd23439451ceecf7e39dda53e9  daxong.zip
06b6b67db19230d2f8459bd1530181efa619ec75e0632e478252b66dbe0f95ba  datapack.rar 
cd4c28e283ccb4a57a5451e4782aa62326577949227ebb32337d0b901d69ba7f  ddd.rar 
c448dd7896f0e9b103e340af14625c92f4b5585dbb0ab711131308a7554db42f  evil.rar 
733b9b3e17dc53566a4bfbb24745173bc0d2bfc67cd2d15b2ab9bc32888d1c2d  rar.rar 

2019-03-28:
86d3ea6435533e2e3e0c1cb5660d2cb93ae55d137a10a99e1f44ca6d6fa04851  DanhSachThi.rar
a942c5c780363a2f831d2ca955f5dce6ecffa5673fd474fdb75039edc8f8d25e  JRlK9cIH8o (1).rar 
d18a2651171304e58d3cc604a7df013a6b72f23ad431bb4b838e6055797c7206  test_4.rar
58736c33eb329cb90239443b473c4d23190f68d6e1592bcf13e9484a8f82dc7c  test.rar 
a108a405bef3fdfe743351aa8a08922927b1c51fee2ba0931ff8229e0695daf0  I_AM_NOT_EVLL.rar
e382ed835ac43ea87a206ec17b6501aa06aa0d10681804e098c7cf93cd8f4baf  test2.rar
deab281b10cb21c76473e40a0ca5966ec96f24f1751335c66db7268172ae9158  test3.rar
82fe925d93d29fb9f8b8ca6886739cdabea8f1bf17061d874c918daa4663eb16  My_Research.rar 
4c9c7620cf9acdca26b4d1f8f8852cab7da93c1d381d75b39baf352ed69efbf7  syLW8QHZPK.rar
ac66c6bd2574cb0e4332d0e08a9be7bb012a810a9227938550b79143167de9b4  test.rar

2019-03-27:
6e4f0282b212ed39ec61005aa7dd305b645faf6ca85f89d89fe2d389d1d54086  06156cbf6799707479b718c6218b4e48 
7657e5168e2f400555560f3731e3903d780769f606a9d81a33e14c07c098aaf7  997288e1c75672fa47a35ee63dc4d55e 
6f91222109c8556876612c82bfcb50d8a4ee66501e63dc392343e021dd7e563c  zakon.rar 
467eba84ab6487297d9c0eba2fa28394bd155a089766d8f1f293b0d54741cb9f  AmK5lQUwYW.rar 
3542f78cdda1aff5c01f0a0b47e20f838e7efcac8a1b0c717821c109579e559e  AwOzLs18iq.rar 
bf626d4896d41b96dcd31caa5a871b8ef1037cf062893cc4a494cd7913272e62  z304q2dDfa.rar 
14d25fd72ac40b4559170d9afc2aeb7211b90f19449f2263d74984134110f066  WE4cIb98Gk.rar 
c458060d2e3a413a6070d52562c39c30ba21f192e8e63de8ab18f38d568e9993  6370a37eeb96ebf1925f0c9beb6f2dd4 
610c8dd293ce7fda9292d6c0235893e1f46b5662c338cb2c3aa23eef168e527d  ea2a03c56e65efaabca40d33d3650c58 
020ded0f19bd07105e2a41c602a723090f7ccd042c13828d95e979eb53b96d75  90de5d4238f1c265b522098a1db8133d 
c83c6dc9193fee8d516bc322cef5fb9b0cad8b3783b37d13a23d874c50572fe6  c66d2ef2fb6c0bfbda9600566a2f840c 
9c120860efe6bc880e510ba831b6b7cb0e298455e6a7757117412b9e98c49407  64ba3d8215b85eb6d7477b01d60fc984 
14ac4183cc29f6446f5373e0f9c5800e26f606cec8e0eeed45767fd79604da6f  Q7DhO0Uqnm.rar 

2019-03-26:
df1967fac24a0aca82010a325d479270b1216734250db1db874c15a91513ff59  phk6rDSze0.rar
e66e3804a15618320fde2ec92827cef7a46d98618b6ad7be4dad930419d97f25  test.rar

2019-03-25:
8c1d4e2f91e307f34d292d1a59adb8d341a2f93716ff2d4361cd7a9ec29137dd  nr9SC6i4ps.rar 
45cab038a6c861514a567055b1552894acf56cbbf47b20cd5159706692d6e12c  bvyTcUQNsY.rar
27ad9b1ff8ca1a2eba818dde24e06a48bc6248d172c525f220aed2f31ccae0ae  c23fffec565170e79125091d59e283f6 
76da78a3cbee48ea9aa5d5663687622861d9c141574f0ab242957bdc44b8c6d8  winrar exploit.rar 
60b981c1a1d38d486eb6e54742e5c9704290f1a3bd0da70d30c1324137b0abba  XeaHVp1NCi.rar
aa8747fe59b43de56383b20a23b1dbe2914a7f560b82f5edbb8d17507ef4602b  M2pbCoZawU.rar 

2019-03-24:
b3d86ed29b3e0feef07e2f762ccc4c9f6bf5b9ecb9137cf02cbb6bc33158c3b7  ugLY9UhqI6.rar
edcba833e3faf58b7b5a178d068cba903eb7ca44206a1c9e0109c3214e28850f  91c817392cf8862bffec064c8912f121 
503fab31f76d22113a2006324c88a8e0d1f63e431a2d2ceaf31ed92838d20e74  7b0fb7dd80a5d58afc7cff5f167f178b 
703b105cfd970cef214e4f36b707eb67596c72aae2fa4b8272c25e7f14e31123  20fD6FuBWY.rar
ff0fb47cd32d7045207a869d63fa7c013364b5202e65a017fd914bf9babed93b  fE9phg70lb.rar 
059b3154cda5e458ce92b90c74b6ec10c3789ab8d1564a8e8354bc9d430f7938  ys75HqrMbl.rar
89dbc826fed3848b6f25a3dfed50036064d06be18be8a692fac59864691ebd0c  zeyR9BI4MG.rar 
2b324d64eb77bd1554e8e550943d95ae8afe8b424d7878c15a598f8e0834d402  sfpFzY50Bo.rar 
c294b055a191f6b4b1425f4f00a7f5d7389cc0df4f068b706e2ac95b532b0cce  NKwH9aYFGU.rar 
58217ce256cce73059be45771ddb460cda8fd7fc9ae1d0306b74fa5a13cf11c6  sLmn74wakh.rar 
6fb4bc77f568b9182faa9827e65fcd51f9b24a076783a5691dab6c1e48255a82  lPBXofQik2.rar 
564fa3c56b87767ba382f9a100e49ed5b38b1300990045bd26901162b3db3057  dUnM9lqj4P.rar 
ea56ae6ee590221cb110adddd2e39f19a6d6ab5c3bb993f53ba73810d0919fcc  lXfJEzRLrm.rar 
3284da5cdda9c514eaa792aa3f41294429e65e4c999d9d8c1a26467aeac61e11  eynMH2qhAN.rar 
265bf177263fddb83f87a4b8d54748631a66cd9ec8b1027be1ab2291cc10a37a  YZzxe8mLwK.rar 
54d272505792540732566e4ce8ebc4c1eed72341daa75328638092941c1df984  ZELGDBySdc.rar
0b989b8b7a550cb1f0ec990837a657a2282f2495894e8fdd7bae0dc0e642b3b1  VM3vPbkeJD.rar 
4f8cb67caec562ae26cb7da09a86af3b401fa848fa8f52413911ab75a795ea3d  Y95EWfXCPs.rar 
7eb95ccf9ac39a5bde7302d5d4281e2fde22c43b8e25229a784bb7a6e2f33c9d  T74bBaKxoA.rar 
64aaf0cf3145960ae60602c46b01bd43760d34e279cb2d8139811526076565cd  QaeuJHW8qd.rar 
1d0b7ade51ddf24de2500c227bf35daef1fb4e41a9f870c6e864aa32936fb7a3  Rr9c06C2Hv.rar 
7b1690b7690d9434d899875801101af6992e631a8d14a10c91e3662a6a657dd0  KhY5jNJicp.rar
1ad112b317739f5e2e43c1886f559559af192681c9699d7967dfb0ae6afb9bba  O7yRelVxYo.rar 
b5b45d108faec5b995c14263777fe08e6ee2482f931ec2f3a367a9d8ef55b7a7  M4sIJDpR10.rar
87b1b58a331363be2b887c1f093986af654be461e85ee2c361c49e37e899dcb9  G8yutIpQfA.rar
fc80ddda3aba8cd790836b705e008b5f1d7e3fed7a9355954cdf889f6f962492  LUeRb0aVQW.rar
be37c6d23d68df969baaafa0f25bf93af3865fc62e9fa98117e44dc21f440b8d  IqK8iGnpcN.rar 
fbdc41b728d86130b1b32fe79592a2de9f1d0f60b4e37a1a7e14c56205595cb0  GD1nmXWfVF.rar 
d489abe38a0788264074dc3bf5279ef1f605f72c7a0f1ee86365dd1ed6d216b3  JIiPza94nU.rar 
84389e682fbbc18a2ad7045fc60931a0d4a87da2efb93e4720b4b7f3319a7f05  HMs7gPhG3B.rar
67dcf0d71e39f8744fecd5cd2faaa23cc677a466df80ecf13d08672eb6dee9d5  HR8YQhcMjU.rar 
39e91a8cb5fb5dbc6c34342b7b6aeb723dae73da1fc1370dab765380378e3f6e  Cyd6AhfPBU.rar
f184e5a57401c85816c5b14f0fa351b44f207bca848a534c02e7eaf2bfeca67e  FyldYVvA3m.rar 
ff0fb47cd32d7045207a869d63fa7c013364b5202e65a017fd914bf9babed93b  DkZyp8dBag.rar 
a9b6281855248a58968fa96c1f3c9c1ca9df033ce2493d18052a1e252ebb0d72  Eow04ZmbU5.rar 
ca33cc899582d3dd871e5c3345abcc052fab0d355954b09945c8eb3fd6d71c80  9iS3FK6rsh.rar 
6073cd21e62ecc3152bad6965fae7ea7cdd354f1d0c1f884486af53895f88c64  7euTgdYwJo.rar
cdadb71e85a9d62c5005889f5b1f866651be4f92bc1342860538eb86b622e708  1n9aXkpWum.rar 
a4ec20120bfe52e654bbe31d7f5590933740b2f0692f017e8ade2be4f9b29a5e  5FQxWm0Sjy.rar 
0a3c5e245d2d418d49c65aa881edadf0fbc00552a463ac543338eac2f1419846  4Ci3sGPQ9h.rar 
a3698cd58c8f020ffd07b6da6c99547f585e9933a63f8fa85942249060eca92d  0Ql2IAFdno.rar 
bad5108e6ac5a7e289bf5b65e2de134ec048d72d65bf205112ab3434cce45b79  0WpLIPlSnx.rar 
14e0f7db37ee52865553a46336a948f79143113e43285210cfbcd19ab5fa02a8  .
004c47495ee67c0cd2f2df94e80adfb213a00aae041785a0e3241d125295ccca  Aimcheat_pro_cracked.rar 
129a95659284a9269bbf9141e54c8480c042d901d447a6f3e9f8cbc5b771ce5d  SynapseX.rar 

2019-03-23:
4169c7c4513abf34a1b786838352cd5701da10b9333ca4e4ad63283a893326fa  4OMHFhqEnv.rar 
7c82abfc769d3bf30342082277c1d616df02e2c28f9460f11462aaff31bb83bd  .
99d71d6d1fdd2621171f396ae5d1c7029a5ac5e9a4cd153c87a04b14da716774  26ab405cbc5b3afe48a08c06920e4d91 

2019-03-22:
2c9152574698f2b51ec6be0ca52c5b4d3017bfed4004c8fddbe46b4e90c364a9  =?UTF-8?B?0YHQu9C40LI=?=
ccb1fc37ae7b0f3c40c8f5169e625645996c64f21cfd0dd0a02eb965354052f2  np++.rar 
5f7d2ec922d58400c2d4a5934f1c009988297f770ee8bd402cf90c316db80009  khalifa.rar 
0387349a884258b521ab239aa8d66832f61998276f07d928cddd6bcbc1cf6235  Заявка на просчет .rar 
5b5eb8e40c30150117d7db4fa930682fe5ff5c25de05b320d99fa9cb219f6ef8  test.rar
d1155418b59ee1b40010c299e70b63ab60c49737491f640bc8a7cd984b84aaa8  test.rar 
5324c8cef6ee97a794abfc07cb3d2ffa491846fdb3b911915ea0d441347bd493  Abaza_Arsiv.rar 

2019-03-21:
b5a84e8079dc8558d3960d711d8591500b69cf79e750ecaf88919e398c59383f  denuncias.rar 
db641a1873f686df281d83677d06f93964f695f287d36dd92ee1e5318bbb92d7  YZSZXC.rar
642771ffe93bc5d74343a73244b28ef183a4edf03fc50ac69c85474d537d33be  data2.rar 
5ceac7a8eaf9b0ee57aeb4bb357e73ae0266f4cb094fff4b0c37491b58afa29b  test.rar 
377d7a436bcebddcc57e8e02185e137980c5231b3c66a9792f65c7a56a44704e  acefile3.rar 
ba80418e505cc92f63a923f699b52376e7707715caec2eb5bb63790cb96a0dcc  evil (4).rar 
f1fb063ed4d468cafca3b628c3842563c0ee7107a083655277e764f01eecea41  f1fb063ed4d468cafca3b628c3842563c0ee7107a083655277e764f01eecea41 

2019-03-20:
12f15634023aa7dd243570eb39a2d208e5066f1460fba5c8d1bc2ce7c7b3cc46  memes.rar 
e63448fb4d3ac86efc7b2b9a72f4fafb29274228f4329d9cf1ae16597ccabe1f  test.rar

Re: CVE-2018-20250 (WinRAR UNACEV2.DLL)

Posted: Mon Apr 15, 2019 10:10 am
by Antelox
Analysis of a targeted attack exploiting the WinRAR CVE-2018-20250 vulnerability

https://www.microsoft.com/security/blog ... erability/

BR,

Antelox