CVE-2023-40477
published 2024-05-03CVE-2023-40477: RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute…
PriorityP351high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
EPSS
13.08%
95.9th percentile
RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the processing of recovery volumes. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-21233.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libclamunrar | < libclamunrar 1.0.3-1~deb12u1 (bookworm) | libclamunrar 1.0.3-1~deb12u1 (bookworm) |
| debian | rar | < libclamunrar 1.0.3-1~deb12u1 (bookworm) | libclamunrar 1.0.3-1~deb12u1 (bookworm) |
| debian | unrar-nonfree | < libclamunrar 1.0.3-1~deb12u1 (bookworm) | libclamunrar 1.0.3-1~deb12u1 (bookworm) |
| rarlab | rar | >= 0 < 2:6.23-1~deb11u1 | 2:6.23-1~deb11u1 |
| rarlab | rar | >= 0 < 2:6.23-1~deb12u1 | 2:6.23-1~deb12u1 |
| rarlab | rar | >= 0 < 2:6.23-1 | 2:6.23-1 |
| rarlab | rar | >= 0 < 2:6.23-1 | 2:6.23-1 |
| rarlab | rar | >= 0 < 2:6.23-1~20.04.1 | 2:6.23-1~20.04.1 |
| rarlab | rar | >= 0 < 2:6.23-1~22.04.1 | 2:6.23-1~22.04.1 |
| rarlab | winrar | < 6.23 | 6.23 |
| rarlab | winrar | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Hunt for a scheduled task named 'Windows.Gaming.Preview' executing %APPDATA%\Drivers\Windows.Gaming.Preview.exe every 3 minutes — this is the VenomRAT persistence mechanism. ↗
- →VenomRAT C2 beacon identification: look for the mutex value 'fqziwqjwgwzscvfy' in process memory or handle listings on infected hosts. ↗
- →Monitor for PowerShell downloading from checkblacklistwords[.]eu/c.txt and checkblacklistwords[.]eu/words.txt as second- and third-stage payload retrieval steps. ↗
- →VenomRAT keylogger writes keystrokes to a locally stored text file under %APPDATA%; look for unexpected .txt files in that directory alongside the Windows.Gaming.Preview.exe binary. ↗
- →Detect VenomRAT C2 commands in network traffic: strings 'plu_gin', 'HVNCStop', 'loadofflinelog', 'save_Plugin', 'runningapp', 'keylogsetting', 'init_reg', 'Po_ng', 'filterinfo' are distinctive RAT command tokens. ↗
- →CVE-2023-40477 is triggered by opening a specially crafted RAR recovery volume; detection should focus on WinRAR processing .rev (recovery volume) files from untrusted sources, particularly versions prior to 6.23. ↗
- ·The fake PoC GitHub repository (whalersplonk) and the Streamable demonstration video are no longer available; the infection chain URLs on checkblacklistwords[.]eu may also be inactive, but the domain should still be blocked. ↗
- ·The poc.py script itself terminates with an exception before completing, but the malicious payload download and execution code runs successfully before the crash — do not assume a failed script execution means no infection occurred. ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian7.8HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
UnRAR vulnerabilities
vendor_ubuntu·2025-03-12·CVSS 7.5
CVE-2024-33899 [HIGH] UnRAR vulnerabilities
Title: UnRAR vulnerabilities
Summary: Several security issues were fixed in UnRAR.
It was discovered that UnRAR incorrectly handled certain paths. If a user
or automated system were tricked into extracting a specially crafted RAR
archive, a remote attacker could possibly use this issue to write arbitrary
files outside of the targeted directory. (CVE-2022-30333, CVE-2022-48579)
It was discovered that UnRAR incorrectly handled certain recovery volumes.
If a user or automated system were tricked into extracting a specially
crafted RAR archive, a remote attacker could possibly use this issue to
execute arbitrary code. (CVE-2023-40477)
Siddharth Dushantha discovered that UnRAR incorrectly handled ANSI escape
sequences when writing screen output. If a user or automated system were
tricked in
Ubuntu
RAR vulnerabilities
vendor_ubuntu·2025-03-12·CVSS 7.5
CVE-2022-30333 [HIGH] RAR vulnerabilities
Title: RAR vulnerabilities
Summary: Several security issues were fixed in RAR.
It was discovered that RAR incorrectly handled certain paths. If a user or
automated system were tricked into extracting a specially crafted RAR
archive, a remote attacker could possibly use this issue to write arbitrary
files outside of the targeted directory. (CVE-2022-30333)
It was discovered that RAR incorrectly handled certain recovery volumes. If
a user or automated system were tricked into extracting a specially crafted
RAR archive, a remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2023-40477)
Instructions: This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
Ubuntu
libclamunrar vulnerabilities
vendor_ubuntu·2024-01-08·CVSS 7.5
CVE-2022-30333 [HIGH] libclamunrar vulnerabilities
Title: libclamunrar vulnerabilities
Summary: Several security issues were fixed in libclamunrar.
it was discovered that libclamunrar incorrectly handled directories when
extracting RAR archives. A remote attacker could possibly use this issue to
overwrite arbitrary files and execute arbitrary code. This issue only
affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04.
(CVE-2022-30333)
It was discovered that libclamunrar incorrectly validated certain
structures when extracting RAR archives. A remote attacker could possibly
use this issue to execute arbitrary code. (CVE-2023-40477)
Instructions: This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
Debian
CVE-2023-40477: libclamunrar - RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Exe...
vendor_debian·2023·CVSS 7.8
CVE-2023-40477 [HIGH] CVE-2023-40477: libclamunrar - RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Exe...
RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of recovery volumes. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-21233.
Scope: local
bookworm: resolved (fixed in 1.0.3-1~deb12u1)
bullseye: resolved (fixed in 0.103.10-1~deb11u1)
sid: resol
OSV
unrar-nonfree vulnerabilities
osv·2025-03-12·CVSS 7.5
CVE-2022-30333 [HIGH] unrar-nonfree vulnerabilities
unrar-nonfree vulnerabilities
It was discovered that UnRAR incorrectly handled certain paths. If a user
or automated system were tricked into extracting a specially crafted RAR
archive, a remote attacker could possibly use this issue to write arbitrary
files outside of the targeted directory. (CVE-2022-30333, CVE-2022-48579)
It was discovered that UnRAR incorrectly handled certain recovery volumes.
If a user or automated system were tricked into extracting a specially
crafted RAR archive, a remote attacker could possibly use this issue to
execute arbitrary code. (CVE-2023-40477)
Siddharth Dushantha discovered that UnRAR incorrectly handled ANSI escape
sequences when writing screen output. If a user or automated system were
tricked into processing a specially crafted RAR archive, a remot
OSV
rar vulnerabilities
osv·2025-03-12·CVSS 7.5
CVE-2022-30333 [HIGH] rar vulnerabilities
rar vulnerabilities
It was discovered that RAR incorrectly handled certain paths. If a user or
automated system were tricked into extracting a specially crafted RAR
archive, a remote attacker could possibly use this issue to write arbitrary
files outside of the targeted directory. (CVE-2022-30333)
It was discovered that RAR incorrectly handled certain recovery volumes. If
a user or automated system were tricked into extracting a specially crafted
RAR archive, a remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2023-40477)
GHSA
GHSA-58vr-f4x9-3h36: RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability
ghsa_unreviewed·2024-05-03
CVE-2023-40477 [HIGH] CWE-129 GHSA-58vr-f4x9-3h36: RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability
RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the processing of recovery volumes. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-21233.
OSV
CVE-2023-40477: RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability
osv·2024-05-03·CVSS 7.8
CVE-2023-40477 [HIGH] CVE-2023-40477: RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability
RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of recovery volumes. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-21233.
OSV
libclamunrar vulnerabilities
osv·2024-01-08·CVSS 7.5
CVE-2022-30333 [HIGH] libclamunrar vulnerabilities
libclamunrar vulnerabilities
it was discovered that libclamunrar incorrectly handled directories when
extracting RAR archives. A remote attacker could possibly use this issue to
overwrite arbitrary files and execute arbitrary code. This issue only
affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04.
(CVE-2022-30333)
It was discovered that libclamunrar incorrectly validated certain
structures when extracting RAR archives. A remote attacker could possibly
use this issue to execute arbitrary code. (CVE-2023-40477)
No detection rules found.
No public exploits indexed.
Securelist
Exploits and vulnerabilities in Q1 2024
blogs_securelist·2024-05-07·CVSS 7.8
CVE-2024-3094 [HIGH] Exploits and vulnerabilities in Q1 2024
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Public exploit statistics
Most prevalent exploits
Vulnerability exploitation in APT attacks
Notable Q1 2024 vulnerabilities
CVE-2024-3094 (XZ)
CVE-2024-20656 (Visual Studio)
CVE-2024-21626 (runc)
CVE-2024-1708 (ScreenConnect)
CVE-2024-21412 (Windows Defender)
CVE-2024-27198 (TeamCity)
CVE-2023-38831 (WinRAR)
Conclusions and advice
Authors
Alexander Kolesnikov
Vitaly Morgunov
We at Kaspersky continuously monitor the evolving cyberthreat landscape to ensure we respond promptly to emerging threats, equipping our products with detection logic and technology. Software vulnerabilities that threat actors can exploit or are already actively exploiting a
Securelist
Analyzing the vulnerability landscape in Q1 2024
blogs_securelist·2024-05-07
Analyzing the vulnerability landscape in Q1 2024
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Notable Q1 2024 vulnerabilities
- Conclusions and advice
Authors
- Alexander Kolesnikov
- Vitaly Morgunov
We at Kaspersky continuously monitor the evolving cyberthreat landscape to ensure we respond promptly to emerging threats, equipping our products with detection logic and technology. Software vulnerabilities that threat actors can exploit or are already actively exploiting are a critical component of that landscape. In this report, we present a series of insightful statistical and analytical snapshots relating to the trends in the emergence of new vulnerabilities and exploits, as well as the most prevalent vulnerabilities being used by attackers. Add
Bleepingcomputer
Google links WinRAR exploitation to Russian, Chinese state hackers
blogs_bleepingcomputer·2023-10-18·CVSS 7.8
[HIGH] Google links WinRAR exploitation to Russian, Chinese state hackers
## Google links WinRAR exploitation to Russian, Chinese state hackers
## Sergiu Gatlan
Google says that several state-backed hacking groups have joined ongoing attacks exploiting a high-severity vulnerability in WinRAR, a compression software used by over 500 million users, aiming to gain arbitrary code execution on targets' systems.
Google's Threat Analysis Group (TAG), a team of security experts who defend Google users from state-sponsored attacks, has detected state hackers from several countries targeting the bug, including the Sandworm, APT28, and APT40 threat groups from Russia and China.
"In recent weeks, Google's Threat Analysis Group's (TAG) has observed multiple government-backed hacking groups exploiting the known vulnerability, CVE-2023-38831, in WinRAR, which is a popular
Bleepingcomputer
Fake WinRAR proof-of-concept exploit drops VenomRAT malware
blogs_bleepingcomputer·2023-09-20·CVSS 9.8
[CRITICAL] Fake WinRAR proof-of-concept exploit drops VenomRAT malware
## Fake WinRAR proof-of-concept exploit drops VenomRAT malware
## Bill Toulas
A hacker is spreading a fake proof-of-concept (PoC) exploit for a recently fixed WinRAR vulnerability on GitHub, attempting to infect downloaders with the VenomRAT malware.
The fake PoC exploit was spotted by Palo Alto Networks' Unit 42 team of researchers, who reported that the attacker uploaded the malicious code to GitHub on August 21, 2023.
The attack is no longer active, but it once again highlights the risks of sourcing PoCs from GitHub and running them without additional scrutiny to ensure they're safe.
## Spreading the WinRAR PoC
The fake PoC is for the CVE-2023-40477 vulnerability, an arbitrary code execution vulnerability that can be triggered when specially crafted RAR files are opened on WinRAR
Unit42
Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT
blogs_unit42·2023-09-19·CVSS 9.8
CVE-2023-40477 [CRITICAL] Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT
# Executive Summary
Researchers should be aware of threat actors repurposing older proof of concept (PoC) code to quickly craft a fake PoC for a newly released vulnerability. On Aug. 17, 2023, the Zero Day Initiative publicly reported a remote code execution (RCE) vulnerability in WinRAR tracked as CVE-2023-40477. They had disclosed it to the vendor on June 8, 2023. Four days after the public reporting of CVE-2023-40477, an actor using an alias of whalersplonk committed a fake PoC script to their GitHub repository.
The fake PoC meant to exploit this WinRAR vulnerability was based on a publicly available PoC script that exploited a SQL injection vulnerability in an application called GeoServer, which is tracked as CVE-2023-25157. We analyzed the fake PoC script and all the links in the in
Unit42
Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT
blogs_unit42·2023-09-19·CVSS 9.8
CVE-2023-40477 [CRITICAL] Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT
Threat Research Center
Threat Research
Vulnerabilities
## Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT
Robert Falcone
Published: September 19, 2023
Malware
Threat Research
Vulnerabilities
CVE-2023-25157
CVE-2023-40477
Proof of Concept
Remote Access Trojan
Remote Code Execution
Social engineering
VenomRAT
WinRAR
## Executive Summary
Researchers should be aware of threat actors repurposing older proof of concept (PoC) code to quickly craft a fake PoC for a newly released vulnerability. On Aug. 17, 2023, the Zero Day Initiative publicly reported a remote code execution (RCE) vulnerability in WinRAR tracked as CVE-2023-40477 . They had disclosed it to the vendor on June 8, 2023. Four days after the public reporting of CVE-2023-40477, an actor using an alias of w
https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=232&cHash=c5bf79590657e32554c6683296a8e8aahttps://www.zerodayinitiative.com/advisories/ZDI-23-1152/https://lists.debian.org/debian-lts-announce/2023/11/msg00009.htmlhttps://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=232&cHash=c5bf79590657e32554c6683296a8e8aahttps://www.zerodayinitiative.com/advisories/ZDI-23-1152/
2024-05-03
Published