WinRAR zero-day open million users to hack

Pierluigi Paganini October 01, 2015

The security researcher Mohammad Reza Espargham a new zero-day flaw is threatening million of users of the latest version of WinRAR.

Yesterday I reported the news of two critical vulnerabilities that affect the popular TrueCryptTrueCrypt application and the related risks for the users, today a new zero-day flaw is threatening million of users of the latest version of WinRAR. Win Rar is a widely used software to compress/decompress files and folders, is account for more than 500 million installations.

According to the security researcher at Vulnerability-Lab Mohammad Reza Espargham, the latest version of WinRAR 5.21 for Windows OS is vulnerable to Remote Code Execution (RCE) flaw.
 “A remote code execution vulnerability has been discovered in the official WInRAR SFX v5.21 software. The vulnerability allows remote attackers to unauthorized execute system specific code to comrpomise a target system. The issue is located in the `Text and Icon` function of the `Text to display in SFX window` module. Remote attackers are able to generate own compressed archives with maliciuous payloads to execute system specific codes for compromise. The attackers saved in the sfx archive input the malicious generated html code. Thus results in a system specific code execution when a target user or system is processing to open the compressed archive.” states the technical description provided for the flaw.

The WinRAR RCE vulnerability has been ranked as ‘High Severity’ and experts assigned it the scores 9 on CVSS (Common Vulnerability Scoring System).

The attacker can exploit the vulnerability in WinRAR by inserting a malicious HTML code inside the “Text to display in SFX window” section when the user is creating a new SFX file.

WinRAR SFX is a specific type of executable compressed file with self-extracting capabilities, the attacker can exploit it to run arbitrary code when the victims open an SFX files a demonstrated in the video proof-of-concept published by Espargham.

An attacker can successfully trigger the vulnerability with low user interaction, and compromise the system, the host network or the device.

“Exploitation of the code execution vulnerability requires low user interaction (open file) without privilege system or restricted user accounts.Successful exploitation of the remote code execution vulnerability in the WinRAR SFX software results in system, network or device compromise.” continues the advisory,

“The major disadvantage arises because of SFX files, as they start functioning as soon as the user clicks on them. Therefore, users cannot identify and verify if the compressed executable file is a genuine WinRAR SFX module or a harmful one.”

The expert highlighted the absence of a patch and provided the following suggestion to the WinRAR users:
  • Use an alternate archiving software
  • Do not click files received from unknown sources
  • Use strict authentication methods to secure your system

Pierluigi Paganini

(Security Affairs – W , hacking)

you might also like

leave a comment