automatic module_metadata_base.json update

2019-04-24 03:56:37 -07:00 · 2019-04-24 03:56:37 -07:00 · c1a3e66d90
parent 5377826030
commit c1a3e66d90
1 changed files with 41 additions and 0 deletions
--- a/db/modules_metadata_base.json
+++ b/db/modules_metadata_base.json
@ -98937,6 +98937,47 @@
    "notes": {
    }
  },
+  "exploit_windows/fileformat/winrar_ace": {
+    "name": "RARLAB WinRAR ACE Format Input Validation Remote Code Execution",
+    "full_name": "exploit/windows/fileformat/winrar_ace",
+    "rank": 600,
+    "disclosure_date": "2019-02-05",
+    "type": "exploit",
+    "author": [
+      "Nadav Grossman",
+      "Imran E. Dawoodjee <imrandawoodjee.infosec@gmail.com>"
+    ],
+    "description": "In WinRAR versions prior to and including 5.61, there is path traversal vulnerability\n        when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename\n        field is manipulated with specific patterns, the destination (extraction) folder is\n        ignored, thus treating the filename as an absolute path. This module will attempt to\n        extract a payload to the startup folder of the current user. It is limited such that\n        we can only go back one folder. Therefore, for this exploit to work properly, the user\n        must extract the supplied RAR file from one folder within the user profile folder\n        (e.g. Desktop or Downloads). User restart is required to gain a shell.",
+    "references": [
+      "CVE-2018-20250",
+      "EDB-46552",
+      "BID-106948",
+      "URL-https://research.checkpoint.com/extracting-code-execution-from-winrar/",
+      "URL-https://apidoc.roe.ch/acefile/latest/",
+      "URL-http://www.hugi.scene.org/online/coding/hugi%2012%20-%20coace.htm"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "RARLAB WinRAR <= 5.61"
+    ],
+    "mod_time": "2019-04-24 05:43:28 +0000",
+    "path": "/modules/exploits/windows/fileformat/winrar_ace.rb",
+    "is_install_path": true,
+    "ref_name": "windows/fileformat/winrar_ace",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_windows/fileformat/winrar_name_spoofing": {
    "name": "WinRAR Filename Spoofing",
    "full_name": "exploit/windows/fileformat/winrar_name_spoofing",