cbcvebase.
CVE-2018-20250
published 2019-02-05

CVE-2018-20250: In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When…

PriorityP193high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-08-15
Exploited in the wild
EPSS
96.27%
99.9th percentile
In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.

Affected

2 ranges
VendorProductVersion rangeFixed in
check_point_software_technologies_ltdwinrar
rarlabwinrar<= 5.61

Detection & IOCsextracted from sources · hover to see the quote

urlhxxp://138.204.171.108/BxjL5iKld8.zip
ip138.204.171.108
ip154.222.140[.]49
filename123.sct
filenameconf.exe
ip122.112.245[.]78
port55556
port8000
urlhxxps://click.clickanalytics208[.]com/s_code.js?cid=239&v=243bcb3d3c0ba83d41fc
domainsonsobakq1.mcdir[.]ru
urlhxxp://sonsobakq1.mcdir[.]ru/api/conf.get
urlhxxp://sonsobakq1.mcdir[.]ru/api/info.get
urlhxxp://sonsobakq1.mcdir[.]ru/api/gate.get?p1=[x]&p2=[x]&p3=[x]&p4=[x]&p5=[x]&p6=[x]&p7=[x]
urlhxxp://sonsobakq1.mcdir[.]ru/api/download.get
otherWin.Exploit.CVE_2018_20250-6869547-0
otherWin.Exploit.CVE_2018_20250-6869546-1
snort
49289 - 49292
  • CVE-2018-20250 exploits the ACE archive format via a crafted filename field in UNACEV2.dll to perform absolute path traversal, dropping malicious files directly into the Windows Startup folder for persistence without user interaction.
  • Monitor for regsvr32.exe making outbound network connections, which is used in the chained CVE-2017-11882 + CVE-2018-20250 attack to download the next-stage payload (123.sct).
  • The backdoor malware connects to http://icanhazip.com to retrieve the victim's external IP address prior to C2 beaconing; monitor for non-browser processes making HTTP requests to icanhazip.com.
  • The first in-the-wild CVE-2018-20250 exploit delivered a backdoor generated by Metasploit Framework (MSF) written to the global startup folder; the backdoor phoned home to 138.204.171.108:443.
  • The Chinese-targeted campaign's conf.exe is infected by Sality file infector; when executed, both the backdoor payload and Sality infector shellcode run simultaneously — scan dropped files from ACE archives for Sality signatures.
  • The watering-hole delivery script checks for a Windows OS cookie before serving the exploit; monitor injected JavaScript on compromised sites that checks cookie data for OS fingerprinting prior to delivering ACE exploit archives.
  • ·The C2 beacon check against www.360.cn/status/getsign.asp always fails during testing, meaning this C2 pre-check mechanism appears non-functional in observed samples and should not be relied upon as a definitive indicator of active C2 communication.
  • ·The UNACEV2.dll library exploited by CVE-2018-20250 had not been updated since 2005; WinRAR's mitigation was to drop ACE archive support entirely in version 5.70 Beta 1 rather than patch the DLL.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.