New UnRAR Vulnerability Could Let Attackers Hack Zimbra Webmail Servers

A brand new safety vulnerability has been disclosed in RARlab’s UnRAR utility that, if efficiently exploited, may allow a distant attacker to execute arbitrary code on a system that depends on the binary.

The flaw, assigned the identifier CVE-2022-30333, pertains to a path traversal vulnerability within the Unix variations of UnRAR that may be triggered upon extracting a maliciously crafted RAR archive.

Following accountable disclosure on May 4, 2022, the shortcoming was addressed by RarLab as a part of version 6.12 launched on May 6. Other variations of the software program, together with these for Windows and Android working techniques, are usually not impacted.

“An attacker is ready to create information outdoors of the goal extraction listing when an utility or sufferer person extracts an untrusted archive,” SonarSource researcher Simon Scannell said in a Tuesday report. “If they’ll write to a identified location, they’re seemingly to have the ability to leverage it in a approach resulting in the execution of arbitrary instructions on the system.”

It’s price stating that any software program that makes use of an unpatched model of UnRAR to extract untrusted archives is affected by the flaw.

This additionally contains Zimbra collaboration suite, whereby the vulnerability may result in pre-authenticated distant code execution on a susceptible occasion, giving the attacker full entry to an electronic mail server and even abuse it to entry or overwrite different inside assets throughout the group’s community.

The vulnerability, at its coronary heart, pertains to a symbolic link assault during which a RAR archive is crafted such that it comprises a symlink that is a mixture of each ahead slashes and backslashes (e.g., “……tmp/shell”) in order to bypass present checks and extract it outdoors of the anticipated listing.


More particularly, the weak spot has to do with a perform that is designed to transform backslashes (”) to ahead slashes (“”) so {that a} RAR archive created on Windows will be extracted on a Unix system, successfully altering the aforementioned symlink to “../../../tmp/shell.”

By profiting from this conduct, an attacker can write arbitrary information anyplace on the goal filesystem, together with making a JSP shell in Zimbra’s net listing and execute malicious instructions.

“The solely requirement for this assault is that UnRAR is put in on the server, which is anticipated as it’s required for RAR archive virus-scanning and spam-checking,” Scannell famous.

Related Posts