SonarSource researchers have discovered a new vulnerability in RARlab’s UnRAR utility, tracked as CVE-2022-30333, that can be exploited by remote attackers to execute arbitrary code on a system that relies on the binary, like Zimbra webmail servers.
Zimbra is an enterprise-ready email solution used by over 200,000 businesses, government and financial institutions.
“we discovered a 0-day vulnerability in the unrar utility, a 3rd party tool used in Zimbra. The vulnerability ultimately allows a remote attacker to execute arbitrary code on a vulnerable Zimbra instance without requiring any prior authentication or knowledge about it.” reads the post published by SonarSource researchers. “
“An attacker is able to create files outside of the target extraction directory when an application or victim user extracts an untrusted archive. If they can write to a known location, they are likely to be able to leverage it in a way leading to the execution of arbitrary commands on the system.”
The CVE-2022-30333 flaw in the unrar binary developed by RarLab is a File Write vulnerability that could be exploited by tricking victims into extracting maliciously crafted RAR archives.
The experts pointed out that In the case of Zimbra, threat actors could exploit this issue to access every email sent and received on a compromised email server. An attacker can fully compromise a server and install a backdoor and use the compromised machine as a pivot to target other systems withing the organization.
“The only requirement for this attack is that unrar is installed on the server, which is expected as it is required for RAR archive virus-scanning and spam-checking.” continues the report.
Below is the timeline for this issue:
|We report the bug in unrar to RarLab.
|We are already in communication with Zimbra about another issue. We give them a heads up about an upcoming security patch from RarLab and send them a Proof-of-Concept exploit to verify that the issue affects Zimbra
|RarLab confirms the issue.
|RarLab sends us a patch for review. We confirm the patch is effective the same day.
|RarLab releases version 6.12 of the binary on their website.
|We send a dedicated email to Zimbra regarding this issue and send the Proof-of-Concept exploit again.
|We notice a flaw in our Proof-of-Concept and send Zimbra more files to help them verify the issue.
|We notify Debian and Ubuntu package maintainers of the security issue.
|Zimbra notifies us that they were able to reproduce the vulnerability.
|We notify Zimbra of the planned release date for this blog post.
The issue stems from a symbolic link attack, threat actors could create a RAR archive containing a symlink that contains forward and backslashes (e.g., “..\..\..\tmp/shell”) to bypass current checks and extract it outside of the target extraction directory.
The flaw resides in a function that converts backslashes (‘\’) to forward slashes (‘/’) to RAR archives created on Windows to be extracted on Unix systems.
The attacker can exploit this flaw to write arbitrary files anywhere on the target filesystem, including writing a JSP shell into a web directory shell in Zimbra’s web directory.
“An attacker can achieve RCE impact via various means. We mentioned for example, that an attacker could write a JSP shell into a web directory. Luckily, most Zimbra instances have their services distributed across multiple servers and thus this path of exploitation is not possible on most installations. However, we have reported multiple different paths of exploitation that work on distributed installations.” concludes the report. “For this reason we recommend upgrading unrar immediately, even if your web server and mail server are not on the same physical machine.”
(SecurityAffairs – hacking, Zimbra)