WinRAR 目录遍历漏洞

漏洞信息

漏洞名称: WinRAR 目录遍历漏洞

漏洞编号:

  • CVE: CVE-2025-6218

漏洞类型: 目录遍历

漏洞等级: 高危

漏洞描述: CVE-2025-6218是WinRAR中存在的一个目录遍历漏洞,允许攻击者在用户解压特制的.rar压缩包时,将文件放置在预期的解压目录之外。通过利用这一缺陷,攻击者可以在敏感位置放置恶意文件,如果系统或用户执行该文件,可能导致远程代码执行(RCE)。

受影响产品: WinRAR是一款广泛使用的文件压缩和解压缩工具,支持多种压缩格式,用户遍布全球。由于其高普及率,该漏洞的影响范围极为广泛。

漏洞解释: 此漏洞属于目录遍历类型,根源在于WinRAR在解压文件时未能正确验证和清理存储在.rar压缩包中的文件路径。攻击者可以构造一个压缩包,其中文件的路径指向预期解压目录之外的位置,利用路径遍历序列(如..\或../../)绕过限制。

影响分析: 此漏洞允许攻击者在用户解压特制压缩包时,将恶意文件放置在系统的敏感位置,如Windows启动文件夹。一旦文件被放置在这些位置,系统或用户登录时可能自动执行这些文件,导致远程代码执行。攻击者无需进一步用户交互即可实现攻击,极大地增加了安全风险。此外,攻击者还可以利用此漏洞覆盖关键系统文件,破坏系统功能或提升权限,甚至传播勒索软件、间谍软件或后门程序。

产品厂商: WinRAR

产品名称: WinRAR

影响版本: version ≤ 7.11

来源: https://github.com/absholi7ly/CVE-2025-6218-WinRAR-Directory-Traversal-RCE

类型: CVE-2025:github search

仓库文件

  • README.md

来源概述

CVE-2025-6218-WinRAR-Directory-Traversal-RCE

CVE-2025-6218 is a directory traversal vulnerability in WinRAR that allows an attacker to place files outside the intended extraction directory when a user extracts a specially crafted .rar archive. By exploiting this flaw, an attacker can drop malicious files in sensitive locations, potentially leading to remote code execution (RCE) if the file is executed by the system or user.

Affected Versions

  • WinRAR versions ≤ 7.11 are vulnerable.
  • Versions ≥ 7.12 Beta 1 include a patch to mitigate this issue.
  • Always verify the version of WinRAR installed (via WinRAR.exe --version) .

Why Directory Traversal Flaws Are Dangerous

Directory traversal vulnerabilities allow attackers to manipulate file paths to write files to unintended locations. In the context of WinRAR, this means a file meant to be extracted to C:\Temp could instead be placed in a sensitive directory like the Windows Startup folder (C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup). If a malicious executable or script is placed in such a location, it could run automatically, granting the attacker control over the victim’s system.

Real-World Impact

An attacker can:

  • Drop a malicious script (e.g., a .bat file) in the Startup folder to execute code on system boot.
  • Overwrite critical system files in directories like C:\Windows\System32 to disrupt system functionality or escalate privileges.
  • Deliver payloads such as ransomware, spyware, or backdoors without the user’s knowledge.
  • Combine this with social engineering (e.g., tricking a user into extracting a malicious archive) to achieve RCE.

2. Root Cause Explanation

How WinRAR Fails to Sanitize File Paths

The vulnerability stems from WinRAR’s failure to properly validate and sanitize file paths stored within a .rar archive. When extracting files, WinRAR trusts the file path metadata in the archive without sufficiently checking for path traversal sequences like ..\ or ../../. This allows an attacker to craft an archive where a file’s path points outside the intended extraction directory.

How ..\..\..\ Sequences Trick the Extraction Process

  • Path Traversal Basics: The sequence ..\ in a file path instructs the system to move up one directory level. By chaining multiple ..\ sequences (e.g., ..\..\..\..\..), an attacker can navigate from the extraction directory (e.g., C:\Temp\Test) to the root of the drive (C:\) and then to any desired location, such as C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.
  • WinRAR’s Flaw: Vulnerable versions of WinRAR (≤ 7.11) do not block or sanitize these sequences, allowing the extraction process to place files in arbitrary locations relative to the extraction point.

Why Files Can Land in Sensitive Locations

  • Startup Folder: Files placed in C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup execute automatically when a user logs in. A malicious .bat or .exe file here can run arbitrary commands.
  • System32 or Other Sensitive Directories: Overwriting or adding files in C:\Windows\System32 can compromise system integrity or enable privilege escalation.
  • No User Interaction Required: If the file is placed in an auto-executing location like the Startup folder, the payload runs without further user action after extraction.

Visual Diagram: Intended vs. Actual Extraction Paths

1
2
3
4
5
6
7
8
9
Intended Extraction (Safe):
- User extracts archive to: C:\Temp\Test
- Archive contains file: payload.bat
- Expected result: C:\Temp\Test\payload.bat

Actual Extraction (Exploited):
- User extracts archive to: C:\Temp\Test
- Archive contains file with path: ..\..\..\..\..\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.bat
- Actual result: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.bat

3. Manual Exploitation Guide

This section provides step-by-step instructions to manually reproduce the CVE-2025-6218 vulnerability in a safe, isolated lab environment using a virtual machine (VM) with no network connectivity. The goal is to create a .rar archive that places a harmless .bat file in the Windows Startup folder, which launches Calculator (calc.exe) upon user login.

Prerequisites

  • A virtual machine running Windows 10 with WinRAR version ≤ 7.11 installed.
  • WinRAR installed on your host machine (≤ 7.11) for creating the archive.
  • A text editor (e.g., Notepad) to create the payload.
  • No network connectivity on the VM to ensure safety.

Step-by-Step Instructions

  1. Prepare a Test Folder:

    • On your host machine, create a folder named exploit_test (e.g., C:\exploit_test).
    • This folder will hold the payload and folder structure for the archive.

  2. Create a Simple Payload:

    • Open Notepad and create a new file with the following content:
      1
      2
      @echo off
      start calc.exe
    • Save the file as payload.bat in C:\exploit_test.
    • This batch file is harmless and will open the Windows Calculator when executed.

  3. Create the Folder Structure for Path Traversal:

    • Inside C:\exploit_test, create a folder structure that mirrors the desired path:
      1
      C:\exploit_test\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
      Replace <username> with the target user’s name on the VM (e.g., absholi7ly).
    • Move payload.bat into the Startup folder:
      1
      C:\exploit_test\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.bat

  4. Craft the Malicious RAR Archive Using WinRAR:

    • Open WinRAR (version ≤ 7.11) on your host machine.
    • Navigate to C:\exploit_test.
    • Select the Users folder (which contains the full path to payload.bat).
    • Right-click and select Add to archive….
    • In the WinRAR dialog:
      • Set the archive name to exploit.rar (e.g., C:\exploit_test\exploit.rar).
      • Choose RAR as the archive format.
      • Set the Compression method to Store or Normal.
      • Ensure no advanced options (e.g., password protection) are enabled.
    • Click OK to create the archive.
    • Verify the archive contents by opening exploit.rar in WinRAR. You should see:
      1
      Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.bat

  5. Transfer the Archive to the VM:

    • Copy exploit.rar to a shared folder or USB drive accessible by the VM.
    • In the VM, move exploit.rar to the root of the C:\ drive:
      1
      C:\exploit.rar

  6. Extract the Archive on the VM:

    • In the VM, open WinRAR (version ≤ 7.11).
    • Navigate to C:\.
    • Right-click exploit.rar and select Extract Here.
    • This should attempt to extract payload.bat to:
      1
      C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.bat
      due to the directory traversal vulnerability.

  7. Verify the Exploitation:

    • Open Windows Explorer in the VM and navigate to:
      1
      C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
    • Check if payload.bat exists in this folder.
    • If it does, the directory traversal was successful.

  8. Test the Payload Execution:

    • Log out of the current user session in the VM and log back in as username.
    • Alternatively, restart the VM.
    • If the exploit worked, the Windows Calculator (calc.exe) should launch automatically.
    • To manually test, double-click payload.bat in the Startup folder to confirm it opens Calculator.

4. Verification

Checking for the Dropped Payload

  • Open Windows Explorer in the VM.
  • Navigate to:
    1
    C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  • Look for payload.bat. If it’s present, the directory traversal exploit succeeded.
  • Open payload.bat in Notepad to verify its contents:
    1
    2
    @echo off
    start calc.exe

Confirming the File Path

  • Right-click payload.bat in the Startup folder and select Properties.
  • Check the Location field to confirm it matches:
    1
    C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  • If the file is elsewhere (e.g., C:\payload.bat or a subfolder like C:\Users\username\AppData\Roaming\...), the exploit did not work as intended.

Confirming Payload Execution

  • Log out and log back in to the VM as the user uasername.
  • Alternatively, restart the VM.
  • Observe if Calculator opens automatically.
  • If it doesn’t, manually double-click payload.bat in the Startup folder to verify it works.

5. Optional Automation Mention

For researchers looking to streamline the process, the manual steps described above can be automated using a Python script. Such a script could:

  • Use the os or getpass modules to dynamically detect the current username.
  • Create the payload.bat file and the necessary folder structure (Users\<username>\...).
  • Invoke the rar.exe command-line tool to build the malicious .rar archive with the correct path traversal sequence.
Github Poc
#CVE-2025:github search #目录遍历
WinRAR 目录遍历漏洞
http://example.com/2025/07/10/github_2500859411/
作者
lianccc
发布于
2025年7月10日
许可协议