Experts at Check Point discovered the logical bug in WinRAR by using the WinAFL
Over 500 million users worldwide use
The flaw is an “Absolute Path Traversal” issue in the library that could be exploited to execute arbitrary code by using a specially-crafted file archive.
The issue affects a third-party library, called UNACEV2.DLL that is used by WINRAR.
The flaw resides in the way an old third-party library, called UNACEV2.DLL, handles the extraction of files compressed in ACE data format. The experts pointed out that WinRAR determines the file format by analyzing its content and not the extension, this means that an attacker can change the .ace extension to .rar extension to trick the victims.
The experts discovered that an attacker leveraging the path traversal vulnerability could extract compressed files to a folder of their choice rather than the folder chosen by the user. Dropping a malicious code into Windows Startup
“We have found a vector which allows us to extract a file to the Startup folder without caring about the <user name>.
By using the following filename field in the ACE archive:
It is translated to the following path by the CleanPath function:
“Moreover, this destination folder will be ignored because the GetDevicePathLen function will return 2 for the last “C:” sequence.”
The following video PoC shows how to gain full control over a targeted system by tricking the victims into opening maliciously crafted compressed archive file using WinRAR.
The worst aspect of the story is that WinRAR development team had lost the source code of the UNACEV2.dll library in 2005. The way to approach the problem is drastic, the team
Don’t waste your time, install this new version of the software and do not open compressed archives with WINRAR that were received from unknown sources.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.