Government-backed actors exploiting WinRAR vulnerability

When writing contents of the files, WinRAR performs path normalization that removes appended spaces, because Windows doesn’t allow files with trailing spaces.

Finally, WinRAR calls ShellExecuteExW, passing the non-normalized path with a trailing space “%TEMP%{random_directory}poc.png_” to run the user-selected file. Internally, ShellExecute attempts to identify file extensions by calling “shell32!PathFindExtension” which fails because extensions with spaces are considered invalid. Instead of bailing out, ShellExecute proceeds to call “shell32!ApplyDefaultExts” which iterates through all files in a directory, finding and executing the first file with an extension matching any of the hardcoded ones: “.pif, .com, .exe, .bat, .lnk, .cmd”.

Note, that while most samples exploiting CVE-2023-3883 use an archive entry with a trailing space, it is not a requirement, and a space in any position in the file extension is sufficient to trigger the bug (e.g. entry with “poc.invalid_ext” will also result in “shell32!ApplyDefaultExts” code path to be taken).