Yesterday, security experts of Checkpoint Security Labs posted about a 19 year old vulnerability in WinRAR. It is very impressive to read through their report as they have given very detailed explanation of the whole process of how they discovered the vulnerability and reproduced it to create proof-of-concept code.
Technically, the vulnerability in not with WinRAR itself but with a DLL file it has been using to unpack the ACE archives. ACE archives are created using WinACE that was available in early 2000s. WinACE developers stopped working on it in 2007 and after that even the website has become offline. A file from old WinACE package called UNACEV2.DLL was being bundled with WinRAR for supporting the decompressing of the ACE archives. This file allows path traversal and can be used to drop files anywhere in your computer. So if you try to extract files from a specially designed ACE archive, it will extract some files in the expected folder, but other malicious files in some locations in your computer such as the auto-start folder.
WinRAR developers have decided to drop ACE from future versions for two main reasons – ACE is a proprietary format and nobody really uses ACE archives anymore. Even back in 2000s, not many people used the ACE archives, and you do not really come across ACE now-a-days therefore not any people are going to miss the removed ACE support from WinRAR.
If you are able to update WinRAR, then you should install the latest version of WinRAR (as of now 5.70 beta 2) on your computer. But if you cannot install new version (because your PC is old and new version makes it slower), then just delete the UNACEV2.DLL file from the WinRAR installation folder. Another option is to just uninstall WinRAR and use 7-Zip instead.
You can read the detailed CheckPoint Security report here – https://research.checkpoint.com/extracting-code-execution-from-winrar/
“So if you try to extract files from a specially designed ACE archive, it will extract some files in the expected folder, but other malicious files in some locations in your computer such as the auto-start folder.”
No. The exploit allows to extract in the wrong folder only if certains conditions are met: if the winrar file is downloaded somewhere in C:\Users\\; and the user open the archive by double-clicking on it or right-clicking on “extract to” (instead of launching winrar through the start menu for instance); then the contained file may be extracted in the autostart folder. And that’s all.
There’s no way this exploit can extract one normal file in one folder + one malicious hidden file in another folder. It’s the same and only file. Seems like a fairly not frightening exploit.
Unless you’re stupid, you won’t extract an exe file if you expected mp3 files.
Watch the video prepared by Checkpoint security. https://youtu.be/R2qcBWJzHMo
Comments are closed.