New UnRAR Vulnerability Could Let Attackers Hack Zimbra Webmail Servers

A new security vulnerability has been disclosed in RARlab’s UnRAR utility that, if successfully exploited, could permit a remote attacker to execute arbitrary code on a system that relies on the binary.

The flaw, assigned the identifier CVE-2022-30333, relates to a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a maliciously crafted RAR archive.

Following responsible disclosure on May 4, 2022, the shortcoming was addressed by RarLab as part of version 6.12 released on May 6. Other versions of the software, including those for Windows and Android operating systems, are not impacted.

An attacker is able to create files outside of the target extraction directory when an application or victim user extracts an untrusted archive,” SonarSource researcher Simon Scannell said in a Tuesday report. “If they can write to a known location, they are likely to be able to leverage it in a way leading to the execution of arbitrary commands on the system.”

It’s worth pointing out that any software that utilizes an unpatched version of UnRAR to extract untrusted archives is affected by the flaw.

This also includes Zimbra collaboration suite, wherein the vulnerability could lead to pre-authenticated remote code execution on a vulnerable instance, giving the attacker complete access to an email server and even abuse it to access or overwrite other internal resources within the organization’s network.

The vulnerability, at its heart, relates to a symbolic link attack in which a RAR archive is crafted such that it contains a symlink that’s a mix of both forward slashes and backslashes (e.g., “..\..\..\tmp/shell”) so as to bypass current checks and extract it outside of the expected directory.

Leave a Reply

Your email address will not be published.