Full Report
WinRAR is a Windows specific compression tool. It also has a terminal version as well. ANSI is the escapes sequences used in terminals to change the color, orientation and many other things about text. If the ANSI escape sequences can be included into text printed out to the terminal then it can be weaponized to change the screen. When WINRAR outputs the data to the screen, a malicious file could rewrite the entire screen by adding the escape sequences to the comment of the file. Because escape sequences can be used to rewrite the entire screen (like in VIM), the author of the post was able to use the comment of a file in WinRAR to rewrite everything. In particular, change the file name output to be something that's different than the original. This could be used to hide viruses or something like that. Interesting bug with awesome context. Good write up!
Analysis Summary
# Vulnerability: ANSI Escape Sequence Injection in WinRAR Console Utility
## CVE Details
- CVE ID: CVE-2024-33899 (Linux/Unix), CVE-2024-36052 (Windows)
- CVSS Score: Information not explicitly provided, but severity is noted as significantly higher on Linux/Unix systems (implying a higher score for CVE-2024-33899).
- CWE: CWE-74 (Improper Neutralization of Special Elements in Output Used by a Command Interpreter - implied by ANSI injection)
## Affected Systems
- Products: WinRAR console versions (RAR and UnRAR)
- Versions: Versions 6.24 and earlier.
- Configurations: Applicable when listing archive contents on terminals that process ANSI escape sequences (e.g., Linux, Unix, Windows command lines). The vulnerability **does not** affect the GUI version of WinRAR or the UnRAR library.
## Vulnerability Description
The console versions of RAR and UnRAR fail to properly filter ANSI escape sequences embedded within the file comments of an archive. When a user lists the contents of a malicious archive (e.g., using `unrar l`), the escape sequences in the comment are interpreted by the terminal. This allows an attacker to manipulate the terminal output, such as spoofing file names (e.g., hiding a malicious file behind a benign name) or injecting sequences that control the cursor and screen state. On Linux/Unix systems, specific sequences can lock up or freeze the terminal session, leading to a Local Denial of Service (DoS).
## Exploitation
- Status: A Proof of Concept (PoC) is demonstrated, focusing on output manipulation (spoofing file names) and DoS (on Linux/Unix).
- Complexity: Low to Medium. Requires pre-packaging a malicious RAR file with a crafted comment.
- Attack Vector: Local (Requires the victim to execute the `unrar l` or relevant command on a vulnerable terminal).
## Impact
- Confidentiality: Low (Potential for masquerading files).
- Integrity: High (Ability to spoof file listings, tricking users into believing benign files are present, or executing follow-on actions based on false output).
- Availability: High on Linux/Unix (Full terminal DoS possible via specific ANSI sequences).
## Remediation
### Patches
- **WinRAR Version 7.00:** This version includes a patch that filters or correctly handles ANSI escape sequences embedded in file comments.
### Workarounds
- Users should avoid listing the contents of untrusted RAR archives using the console utilities (`rar` or `unrar`).
- On systems vulnerable to DoS, users should ensure they are running WinRAR 7.00 or later, or take extreme caution when listing external archives.
## Detection
- Indicators of Compromise: Unexpected changes in terminal color, cursor position anomalies, or terminal freezing when running `unrar l` or `rar l` commands involving specific archives.
- Detection methods and tools: Standard network monitoring or file integrity monitoring would not typically detect the crafted comment within the archive header itself. Behavioral analysis of terminal sessions following archive listing could indicate exploitation.
## References
- Vendor Advisory (RARLAB): Released update on February 28, 2024.
- Vulnerability write-up: hxxps://sdushantha.medium.com/ansi-escape-injection-vulnerability-in-winrar-1a2cbfac4b983