Overview of CVE-2023-38831 Vulnerability
CVE-2023-38831 is a vulnerability that allows threat actors to spoof file extensions, enabling them to execute malicious scripts disguised as harmless files such as images or text documents. This vulnerability was patched in version 6.23, released on August 2, 2023, alongside CVE-2023-40477.
Attack Scenario: Exploiting CVE-2023-38831
Preparation Steps:
- Target Environment: A Windows 10 machine running WinRAR version 6.22.
- Attack Machine: A Kali Linux machine to execute commands and send malicious files to the target Windows machine.
Exploitation Process:
- Step 1: Open the Malicious ZIP File
- The attack begins when the victim opens a ZIP file containing a malicious script using WinRAR.exe. The ZIP file includes a script disguised as an image file.
- Step 2: Victim Interaction
- The victim unknowingly triggers the vulnerability by clicking on the disguised image file within the extracted folder.
- Step 3: Script Execution
- Instead of opening an image, a BAT script (batch file) is executed due to the spoofed file extension. This script initiates further actions.
- Step 4: SFX File Execution
- The BAT script triggers a self-extracting (SFX) file containing additional malicious payloads or scripts. These payloads may enable further attacks or remote access for the attacker.
