Digital Creations LLC
Digital Creations LLC

Blog details

When writing contents of the files, WinRAR performs path normalization that removes appended spaces, because Windows doesn’t allow files with trailing spaces.

Finally, WinRAR calls ShellExecuteExW, passing the non-normalized path with a trailing space “%TEMP%{random_directory}poc.png_” to run the user-selected file. Internally, ShellExecute attempts to identify file extensions by calling “shell32!PathFindExtension” which fails because extensions with spaces are considered invalid. Instead of bailing out, ShellExecute proceeds to call “shell32!ApplyDefaultExts” which iterates through all files in a directory, finding and executing the first file with an extension matching any of the hardcoded ones: “.pif, .com, .exe, .bat, .lnk, .cmd”.

Note, that while most samples exploiting CVE-2023-3883 use an archive entry with a trailing space, it is not a requirement, and a space in any position in the file extension is sufficient to trigger the bug (e.g. entry with “poc.invalid_ext” will also result in “shell32!ApplyDefaultExts” code path to be taken).

Digital Creations is an IT company providing solutions for businesses to accomplish their goals currently and in the future.

Contact Info

Follow Us

Cart(0 items)

No products in the cart.

Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.
  • Image
  • SKU
  • Rating
  • Price
  • Stock
  • Availability
  • Add to cart
  • Description
  • Content
  • Weight
  • Dimensions
  • Additional information
Click outside to hide the comparison bar