Other applications using binary to extract untrusted archives are potentially vulnerable too

UnRAR path traversal flaw can lead to RCE in Zimbra

UPDATED A path traversal vulnerability in RarLab’s UnRAR binary can lead to remote code execution (RCE) on business email platform Zimbra and can potentially affect other software.

The UnRAR utility is used to extract RAR archives to a temporary directory for virus-scanning and spam-checking purposes.

However, a recently patched file-write flaw (CVE-2022-30333) means an unauthenticated attacker can “create files outside of the target extraction directory when an application or victim user extracts an untrusted archive”, according to a blog post published by Simon Scannell, vulnerability researcher at Swiss security firm Sonar (formerly SonarSource).

Catch up with the latest security research news

If malicious hackers manage to write to a known location, continued Scannell, they could potentially execute arbitrary commands on the system.

Successful exploitation of the high severity (CVSS 7.5) issue on Zimbra, an open source platform used by more than 200,000 businesses, “gives an attacker access to every single email sent and received on a compromised email server”.

They can also silently backdoor login functionalities and steal users’ credentials, as well as escalate access to an organization’s other internal services, warned Scannell.

Symlink protection bypass

The flaw resides in UnRAR’s mechanism for preventing symbolic link (symlink) attacks on Unix systems, whereby the function for validating relative symlinks, IsRelativeSymLinkSafe(),checks if the symlink target contains ../ on Unix or ..\ on Windows.

This check can, however, be negated due to the fact that untrusted input is sometimes modified after it has been validated, which breaks assumptions made during the validation step.

Specifically, once the symlink has been validated, UnRAR converts backslashes (\) to forward slashes (/) with DosSlashToUnix() to ensure that a RAR archive created on Windows can be extracted on a Unix system.

“By exploiting this behavior, an attacker can write a file anywhere on the target filesystem,” said Scannell.

RCE on Zimbra

Since the Amavis content filter used by Zimbra to analyze extracted files operates as the Zimbra user, added Scannell, the file-write primitive allows the creation and overwriting of files in other services’ working directories too.

The researcher detailed how an attacker could achieve RCE on Zimbra by writing a JSP shell to the web directory, using a file-based command injection, or creating an SSH key.

Sonar notified RarLab of the flaw on May 4, 2022, and a security patch was included with version 6.12 binaries, which were released on May 6.

Zimbr developer Synacor was also warned about the flaw on May 4 so it could warn users to patch their cloud instances.

A blog post detailing the technicalities was published yesterday (June 28).

Only Unix binaries – excluding Android – and implementations using RarLab’s code are affected.

Thanks all round

Eugene Roshal, the developer of UnRAR as well as the RAR file format and WinRAR file archiver, thanked Scannell and Sonar for reporting the vulnerability and alerting developers using UnRAR in their Unix software.

“They properly mentioned the vulnerable code inside of ExtractUnixLink50 function in ulinks.cpp,” Roshal told The Daily Swig. “Previously IsRelativeSymlinkSafe received a pathname before converting backslashes to forward slashes. Now it receives a pathname after this conversion.”

Scannell thanked RarLab’s developers for “their very fast and professional handling of this issue”, and shouted out Zimbra’s security team for “warning their customers to help prevent exploitation”.

Zimbra is something of a specialty for Sonar, whose researchers have in the last 12 months discovered a bug chain leading to full Zimbra server compromise, an XSS flaw that powered spear phishing campaigns, and, only two weeks ago, a memcached injection vulnerability that imperilled login credentials.

This article was updated on June 30 with additional comment from Eugene Roshal from RarLabs

RELATED Business email platform Zimbra patches memcached injection flaw that imperils user credentials