Attachment: Zip Exploiting CVE-2023-38831 (Unsolicited)
A Zip attachment that exhibits attributes required to exploit CVE-2023-38831, a vulnerability in WinRAR (prior to 6.23).
Sublime rule (View on GitHub)
1name: "Attachment: Zip Exploiting CVE-2023-38831 (Unsolicited)"
2description: |
3 A Zip attachment that exhibits attributes required to exploit CVE-2023-38831, a vulnerability in WinRAR (prior to 6.23).
4type: "rule"
5severity: "critical"
6authors:
7 - twitter: "delivr_to"
8references:
9 - https://twitter.com/GroupIB_TI/status/1694277126944633328
10 - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
11 - https://github.com/b1tg/CVE-2023-38831-winrar-exploit/
12 - https://delivr.to/payloads?id=ab969e8a-bf5c-45a6-acd0-0dd2b2a34750
13source: |
14 type.inbound
15 and any(attachments,
16 .file_extension in $file_extensions_common_archives and
17 any(file.explode(.),
18 (
19 .depth == 0 and
20 any(.scan.zip.all_paths,
21 regex.match(.,
22 // zip contains a path with spaces and file extensions
23 // lure.pdf /lure.pdf .cmd
24 //
25 // /= Initial file name (including any spaces)
26 // |
27 // | /= Space
28 // | |
29 // | | /= Folder
30 // | | |
31 // | | | /= Repeated file name
32 // | | | |
33 // | | | | /= Space
34 // | | | | |
35 // | | | | | /= Real script ending
36 // | | | | | |
37 '.+\.\w+\s\/.+\.\w+\s\.\w+'
38 )
39 )
40 ) and
41 (
42 // One file name is present in another, e.g.
43 // delivrto.pdf
44 // delivrto.pdf /delivrto.pdf .cmd
45 any(.scan.zip.all_paths,
46 any(..scan.zip.all_paths,
47 . != .. and
48 strings.starts_with(., ..)
49 )
50 )
51 )
52 )
53 )
54 and (
55 (
56 sender.email.domain.root_domain in $free_email_providers
57 and sender.email.email not in $recipient_emails
58 )
59 or (
60 sender.email.domain.root_domain not in $free_email_providers
61 and sender.email.domain.domain not in $recipient_domains
62 )
63 )
64tags:
65 - "Suspicious Attachment"
66 - "CVE-2023-38831"
67id: "926b96ae-f40b-525d-a312-bd6c9a5f19fb"