CVE-2023-37646

Vulnerability

Bitberry File Opener v23.0 contains a directory traversal vulnerability in its CAB file extraction function. The flaw occurs when the software concatenates a file path embedded within a CAB archive to the current extraction directory without proper sanitization. This allows an attacker to craft a malicious CAB file that writes files outside the intended output directory. Versions prior to the fix are affected; the vulnerability is specifically reported for version 23.0 [1], [2].

Exploitation

An attacker must craft a malicious CAB file containing an entry with a directory traversal sequence (e.g., ..\) in the stored path. The attacker then delivers this CAB file to a victim (e.g., via email or download) and convinces them to open it with Bitberry File Opener. No special network position or authentication is required; user interaction is necessary. When the victim opens the file, the application extracts the CAB content and writes the entry to the path constructed by concatenating the traversal string with the current directory, allowing the attacker-controlled file to be placed in an arbitrary location [2].

Impact

Successful exploitation enables an attacker to write arbitrary files to any location the user has write access to. By writing a malicious executable or script into the Windows Startup folder, the attacker can achieve remote code execution when the next user logon occurs. The compromise occurs at the privilege level of the logged-in user, potentially leading to full system compromise if the user has administrative rights [2].

Mitigation

As of the publication date (2023-08-08), no official fix or patched version has been released by Bitberry Software. Users are advised to exercise caution when opening CAB files from untrusted sources until a security update is provided. The vendor’s website (http://bitberry.com) does not mention a patch at the time of writing [1], [2].