Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

.rar Files and ACE Exploit CVE-2018-20250

Published: 2019-04-22
Last Updated: 2019-04-22 09:38:23 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Reader Carlos submitted an email with attached RAR file.

In the past, when you received a RAR file as attachment in an unexpected email, it often contained a single malicious Windows executable. For the infection to occur, one would have to open the attachment and double-click the executable.

Nowadays, a RAR file can also be an ACE exploit, like the popular CVE-2018-20250. Infection typically occurs by opening the attachment, and then restarting the computer or performing a logoff/logon cycle.

With oledump.py and plugin plugin_msg.py, one can inspect .msg files:

There's an attachment with extension .rar:

And it is indeed a RAR file containing an executable.

If it would be an ACE file masquerading as a RAR file (.rar extension in stead of .ace), one would see the following:

The binary data does not start with "Rar!", instead, one will see "**ACE**" a few bytes into the binary data.

The example above is a normal ACE file. ACE files with a path traversal exploit will have an abnormal path stored in the ACE file:

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: ace exploit rar
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Analyzing UDF Files with Python
Apr 19th 2019
2 days ago by DidierStevens (0 comments)

Malware Sample Delivered Through UDF Image
Apr 18th 2019
4 days ago by Xme (1 comment)

A few Ghidra tips for IDA users, part 2 - strings and parameters
Apr 17th 2019
5 days ago by Jim (0 comments)

Odd DNS Requests that are Normal
Apr 16th 2019
6 days ago by Johannes (4 comments)

View All Diaries →

Latest Discussions

Domain registration date plugin for email?
created Mar 30th 2019
3 weeks ago by Anonymous (0 replies)

Run Extracted binaries from mirror traffic on cuckoo
created Feb 6th 2019
2 months ago by ching (1 reply)

Another sextortion email
created Feb 5th 2019
2 months ago by Anonymous (0 replies)

Two-factor authentication: Why do I need it? What are the best apps?
created Jan 27th 2019
2 months ago by Russell (0 replies)

sextortion Mail
created Jan 10th 2019
3 months ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (13 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)