cbcvebase.
CVE-2023-38831
published 2023-08-23

CVE-2023-38831: RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because…

PriorityP190high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2023-09-14
Exploited in the wild
EPSS
97.80%
99.9th percentile
RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023.

Affected

1 ranges
VendorProductVersion rangeFixed in
rarlabwinrar< 6.236.23

Detection & IOCsextracted from sources · hover to see the quote

hash52951f2d92e3d547bad86e33c1b0a8622ac391c614efa3c5d167d8a825937179
hash4f3992b9dbd1c2a64588a5bc23f1b37a12a4355688d6e1a06408ea2449c59368
urlhttps://tinyurl.com/app/api/create
domainmockbin.org
path%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\search.url
ip45.87.246[.]34
ip185.158.248[.]107
urlhttp[:]//45.87.246[.]34:443/calc.exe
urlhttp[:]//185.158.248[.]107:443/calc.exe
ip45.156.27[.]115
filenamecalc.exe
pathC:\ProgramData\wusa.exe
pathC:\Windows\System32\inetsrv\calc.exe
pathC:\Windows\System32\winuac.exe
pathC:\Windows\System32\winsw.exe
cookieXSRF-TOKEN
  • CVE-2023-38831 exploitation: A ZIP archive contains both a benign file (e.g., .JPG) and a same-named folder whose contents (executable) are processed when the user opens the benign file in WinRAR < 6.23
  • Pawn Storm NTLMv2 hash relay via CVE-2023-38831: monitor for WinRAR-spawned processes making outbound WebDAV/HTTP requests to localhost:8080 followed by exfiltration to mockbin.org
  • Persistence indicator: info-stealer drops an internet shortcut (.url) into the Windows Startup folder at %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\search.url
  • Exfiltration pattern: stealer uploads files via HTTP PUT to free.keep.sh, then creates TinyURL aliases via POST to tinyurl.com/app/api/create; look for PUT requests to free.keep.sh and POST requests to tinyurl.com/app/api/create
  • Head Mare anti-forensics: PowerShell command history shows event log clearing and service removal after CVE-2023-38831 initial access; hunt for 'Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }' in PowerShell logs
  • Bumblebee previously leveraged CVE-2023-38831 for payload delivery; ZIP archives with same-named folder/file pairs should be inspected at the mail gateway and endpoint
  • Pawn Storm EdgeOS implant: look for open SOCKS5 proxy on port 56981, SMB listener on port 445, and non-standard SSH on ports 2222, 58749, 59417 on EdgeOS routers as indicators of compromise
  • ·CVE-2023-38831 affects WinRAR versions before 6.23 only; patched in WinRAR 6.23
  • ·The NTLMv2 hash-stealing PowerShell payload uses a fixed (non-random) 8-byte challenge sequence in the NTLM CHALLENGE message, deviating from the legitimate random value — this fixed sequence can be used as a detection signature
  • ·Pawn Storm uses a robust filtering system to block security researchers and automated scripts from identifying malicious infrastructure, reducing the reliability of active scanning against their C2s

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.