Junrar Backslash Path Traversal Vulnerability in LocalFolderExtractor Allowing Arbitrary File Write on Linux/Unix

A backslash path traversal vulnerability has been identified in the Junrar library, specifically in versions prior to 7.5.8. This vulnerability allows an attacker to write arbitrary files with controlled content anywhere on the filesystem when a crafted RAR archive is extracted on Linux or Unix systems. The issue arises because, on these platforms, backslashes are treated as literal characters rather than path separators. As a result, RAR entries with backslash-separated paths can bypass canonical path validation and be extracted outside the intended directory, potentially leading to remote code execution by overwriting sensitive files such as shell profiles or cron jobs.

Impact

Exploitation of this vulnerability allows for arbitrary file write operations with attacker-controlled content, which can overwrite existing files. This behavior can often be leveraged to execute arbitrary code, particularly if the overwritten file is a script or configuration file that is executed by the system.

Reproduction

The vulnerability can be reproduced by creating a RAR archive that includes a file with a backslash-separated path traversal, such as '..\..\tmp\existing-file'. When this archive is extracted using Junrar versions prior to 7.5.8 on a Linux or Unix system, the library's path handling will incorrectly interpret the backslashes, leading to a traversal outside the extraction directory. This can be automated with a script that sets up the malicious archive and the necessary environment to demonstrate the vulnerability.

Remediation

Users can upgrade to Junrar version 7.5.8 or later, where this vulnerability has been fixed.