WinRAR ADS Path Traversal — Arbitrary Code Execution via Crafted Archive (CVE-2025-8088)

## Summary
CVE-2025-8088 is a path traversal flaw in WinRAR for Windows that allows archives containing Alternate Data Streams (ADS) to write files outside the chosen extraction directory. A crafted RAR with ADS entries can drop a payload into the user's Startup folder when extracted, enabling arbitrary code execution on next login.

## Impact
- Package/component affected: WinRAR for Windows (and Windows UnRAR/UnRAR.dll/portable UnRAR).
- Affected versions: WinRAR <= 7.12 (patched in 7.13).
- Risk level and consequences: High. A crafted archive can write files outside the destination, enabling persistence and code execution (e.g., Startup folder payloads).

## Root Cause
WinRAR's handling of ADS entries allows path traversal through relative path components (..\) embedded in ADS stream names. When extracting a RAR with ADS entries, WinRAR resolves traversal segments relative to the extraction path and permits writing the ADS payload into unintended locations (e.g., Startup folder). WinRAR 7.13 release notes indicate this was fixed, suggesting validation was added to prevent traversal outside the destination.

## Reproduction Steps
1. Run `repro/reproduction_steps.sh` (wrapper for PowerShell script).
2. The script installs WinRAR 7.12, downloads a public PoC generator, patches it to avoid PDF dependencies, generates an exploit RAR with multiple ADS traversal depths, then extracts it with WinRAR's `rar.exe` CLI.
3. Evidence of reproduction is a `payload.bat` written to the user Startup folder and logged output indicating "Issue confirmed."

## Evidence
- Logs: `logs/repro-<timestamp>.log` (created per run).
- Key excerpt (from successful runs):
  - "WinRAR version: 7.12.0"
  - "Exploit created: exploit.rar"
  - "VULNERABLE: payload written to startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.bat"
- Environment: Windows sandbox, WinRAR 7.12 installed via rarlab installer, Python 3.12 used to run PoC generator.

## Recommendations / Next Steps
- Upgrade WinRAR to 7.13 or later on Windows hosts.
- If WinRAR cannot be upgraded immediately, disable ADS handling or block extraction of untrusted archives.
- Add regression tests that extract crafted ADS archives and ensure no writes occur outside the destination directory.

## Additional Notes
- Idempotency: `repro/reproduction_steps.ps1` was run twice successfully; both runs produced the Startup payload and exited 0.
- Limitation: The PoC relies on ADS traversal; Linux/Unix builds are not affected per vendor advisory.