Windows 11 introduced native support for 11 additional archive formats using a forked version of libarchive, significantly expanding functionality but also increasing security risks due to multiple vulnerabilities discovered in libarchive and its integration. Delays in patching libarchive upstream have led to “Half-day” vulnerabilities affecting other projects such as ClickHouse. #Windows11 #libarchive #ClickHouse
Keypoints
- Windows 11 added native support for 11 additional archive formats in October 2023 via a forked libarchive library, increasing supported formats well beyond Microsoft’s claim.
- Multiple security vulnerabilities were discovered in the libarchive fork used by Windows, including heap buffer overflows, arbitrary file write/delete, and remote code execution (RCE) in RAR decompression.
- Microsoft patched some RCE vulnerabilities in libarchive in January 2024, but corresponding fixes were merged to the upstream libarchive repository only months later, creating a “Half-day” vulnerability window.
- File Explorer’s handling of archive extraction suffers from issues like insufficient filename sanitization and patch bypasses, leading to arbitrary file write/delete vulnerabilities (CVE-2024-26185 and CVE-2024-38165).
- The incomplete handling of symbolic links in archives creates potential NTLM credential leaks during SMB communication attempts.
- Libarchive’s complex support for chained filters and file formats significantly increases the attack surface following Windows’ update.
- Project ClickHouse, which uses libarchive, was vulnerable to the same RAR decompression RCEs, but the issue was fixed promptly after responsible disclosure.
MITRE Techniques
- [T1204.002] User Execution: Malicious File – Exploiting File Explorer’s “Compressed Archive Folder” feature by tricking users to open malicious archive files, leading to arbitrary file writes or remote code execution (“when the user either double-clicks the symlink or selects ‘Extract All’, File Explorer will attempt to communicate with the SMB server at that IP address, leading to an NTLM leak”).
- [T1560.001] Archive Collected Data: Archive via RAR/7z Formats – Leveraging vulnerabilities in libarchive’s handling of RAR decompression filters to execute arbitrary code (“the vulnerabilities patched by Microsoft in January were not merged into libarchive until May, leaving countless applications exposed to risk”).
- [T1040] Network Sniffing: NTLM Relay – Exploiting unresolved symbolic links in archives to cause File Explorer to communicate with remote SMB servers and leak NTLM credentials (“File Explorer will attempt to communicate with the SMB server at that IP address, leading to an NTLM leak”).
- [T1221] Template Injection: Execution – Using specially crafted RAR filters (e.g., e8 filter) that involve executing a virtual machine within RAR decompression to trigger heap buffer overflow vulnerabilities (“libarchive doesn’t fully implement the entire VM, instead it calculates a fingerprint to decide execution”).
- [T1059.001] Command and Scripting Interpreter: PowerShell – Libarchive spawn external executables when decompressing formats if linked libraries are missing (“explorer.exe is trying to execute lzop in PATH to decompress the archive”).
Indicators of Compromise
- [File Names] Archive files with malicious paths – examples include “..poc.txt”, “C:pocpoc.txt”, and “pocpoc.txt” used to bypass path sanitization and trigger arbitrary file write vulnerabilities.
- [Domains/IP Addresses] SMB servers used for NTLM exfiltration – e.g., “172.23.176.34UsersniniDesktopsharingtest.txt” involved in symbolic link exploitation.
- [File Hashes] Not specifically given in the article but multiple RAR archives with e8 filter and crafted Huffman data were used to trigger vulnerabilities like CVE-2024-20696 and CVE-2024-20697.
- [DLL Files] Vulnerable Windows DLLs such as zipfldr.dll (handles archive interaction) and archiveint.dll (forked libarchive) identified as attack surfaces for exploiting these vulnerabilities.