automatic module_metadata_base.json update

2019-04-24 03:54:55 -07:00 · 2019-04-24 03:54:55 -07:00 · e7f82610d3
parent 0e2fb0fb12
commit e7f82610d3
1 changed files with 41 additions and 0 deletions
--- a/db/modules_metadata_base.json
+++ b/db/modules_metadata_base.json
@ -98937,6 +98937,47 @@
    "notes": {
    }
  },
+  "exploit_windows/fileformat/winrar_ace": {
+    "name": "RARLAB WinRAR ACE Format Input Validation Remote Code Execution",
+    "full_name": "exploit/windows/fileformat/winrar_ace",
+    "rank": 600,
+    "disclosure_date": "2019-02-05",
+    "type": "exploit",
+    "author": [
+      "Nadav Grossman",
+      "Imran E. Dawoodjee <imrandawoodjee.infosec@gmail.com>"
+    ],
+    "description": "In WinRAR versions prior to and including 5.61, there is path traversal vulnerability\n        when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename\n        field is manipulated with specific patterns, the destination (extraction) folder is\n        ignored, thus treating the filename as an absolute path. This module will attempt to\n        extract a payload to the startup folder of the current user. It is limited such that\n        we can only go back one folder. Therefore, for this exploit to work properly, the user\n        must extract the supplied RAR file from one folder within the user profile folder\n        (e.g. Desktop or Downloads). User restart is required to gain a shell.",
+    "references": [
+      "CVE-2018-20250",
+      "EDB-46552",
+      "BID-106948",
+      "URL-https://research.checkpoint.com/extracting-code-execution-from-winrar/",
+      "URL-https://apidoc.roe.ch/acefile/latest/",
+      "URL-http://www.hugi.scene.org/online/coding/hugi%2012%20-%20coace.htm"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "RARLAB WinRAR <= 5.61"
+    ],
+    "mod_time": "2019-04-24 05:43:28 +0000",
+    "path": "/modules/exploits/windows/fileformat/winrar_ace.rb",
+    "is_install_path": true,
+    "ref_name": "windows/fileformat/winrar_ace",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_windows/fileformat/winrar_name_spoofing": {
    "name": "WinRAR Filename Spoofing",
    "full_name": "exploit/windows/fileformat/winrar_name_spoofing",