CVE CyberSecurity Database News

CVE-2024-20696 - Windows Libarchive Remote Code Execution Vulnerability Explained

Poster -

On January 9, 2024, Microsoft disclosed a critical remote code execution (RCE) vulnerability, tracked as CVE-2024-20696, affecting the libarchive library on Windows. Attackers could exploit this bug to execute arbitrary code simply by tricking a user into opening a maliciously-crafted archive file (such as a .ZIP, .TAR, or .CAB) using an affected application or Windows Explorer integration. In this article, we'll explain how this vulnerability works, explore the exploitation process with simplified code, and provide resources for mitigation and further reading.

What Is Libarchive and Why Does This Matter?

Libarchive is an open-source library used to read and write various streaming archive formats, including ZIP, TAR, CAB, and more. Microsoft includes it in Windows, starting with Windows 10 and Windows Server 2019, to provide native archiving support for additional formats through File Explorer and other system components.

If this library has a vulnerability, it can impact a huge number of Windows systems—especially when users rely on native Explorer features.

Details of CVE-2024-20696

- CVE: CVE-2024-20696

Severity: Critical (CVSS: 7.8, per Microsoft)

- Affected: Windows 10, Windows 11, Windows Server 2019/2022, and systems with libarchive.dll (see Microsoft's advisory)

Impact: Attacker-controlled code execution when a specially crafted archive is opened.

How it works:
Malicious archive files are crafted to exploit a parsing bug in the vulnerable version of libarchive.dll. If a user opens one of these files using Windows Explorer or a built-in tool that uses libarchive, the attacker's payload can execute in the context of that user.

Craft a Malicious Archive:

Use knowledge of the vulnerable code path to create an archive file with specific properties/triggers (for example, strange filenames, deeply nested directories, or malformed headers).

User Opens the File:

When the target opens or previews the file with a Windows tool that relies on libarchive, the exploit runs—potentially installing malware, backdoors, or ransomware.

Code Snippet: How the Vulnerability Might Look

*Note: The real vulnerable code is generally not published for security reasons, but here’s a simplistic example to illustrate how such a bug often arises.*

// Pseudocode simulating vulnerable archive header parsing in libarchive

void parse_archive_entry(FILE *archive) {
    char filename[256];
    fread(filename, 1, 512, archive); // Vulnerability: Over-reads into buffer!
    
    // Some code that trusts filename buffer...
    printf("Extracting file: %s\n", filename);
}

*The above example shows a buffer overflow if the filename is longer than 256 bytes, allowing an attacker to overwrite memory and achieve code execution.*

Realistic Exploit Scenario

Suppose an attacker crafts a .cab file with a filename entry exceeding the internal limit, leading to buffer overflow inside libarchive:

# Python: Create a malicious fake CAB file (simplified)
with open('evil.cab', 'wb') as f:
    f.write(b'MSCF')  # CAB header
    f.write(b'A' * 300)  # Overly long file name
    # ...more crafted fields...

They deliver evil.cab to a Windows user. The moment the user double-clicks it (Explorer loads info using libarchive.dll), arbitrary code runs.

Microsoft patched the bug in their January 2024 cumulative updates.

See: Microsoft Security Advisory

Disable Archive Previews:

You can disable the Windows preview pane, as previews can trigger exploits automatically in some scenarios.

Microsoft Security Guide:

CVE-2024-20696 advisory

Libarchive Homepage:

https://www.libarchive.org/

Security Research Write-up (when available):

Google Project Zero on archive parsing bugs *(related, generic)*

Conclusion

CVE-2024-20696 is a critical reminder of the risks lurking inside file format parsers—especially those built into your OS. Always keep your systems patched and think twice before opening files from unknown sources. In just one click, a hidden bug in something as simple as a ZIP extract could hand control of your system to an attacker.

If you’re an IT professional, patch now and educate your users. If you’re a home user, run Windows Update. In security, a little awareness goes a long way.

Timeline

Published on: 01/09/2024 18:15:52 UTC
Last modified on: 04/11/2024 20:15:16 UTC