WinRAR flaw allows hackers to gain full control over computer
WinRAR, a popular file compression tool, has patched a 19-year-old security flaw that was discovered, that affects 500 million users. The path traversal vulnerability, which WinRAR fixed in January, could allow hackers to remotely execute code on victims' machines by tricking them to open a file. Researchers at Check Point Software found a logical bug and was able to gain full control over a victim's computer. The exploit works by just extracting an archive. This vulnerability has existed for almost 19 years and forced WinRAR to completely drop support for the vulnerable format.
WinRAR is a popular file-archiving utility for Windows, which can create and extract archives in Roshal Archive Compressed (RAR) or ZIP file formats, and extract numerous other archive file formats. Researchers found a path-traversal vulnerability in unacev2.dll, a third-party dynamic link library in WinRAR used for parsing ACE archives. A path-traversal attack allows hackers to access directories like config files or other files containing server data that is not intended for public. When taking a closer look at unacev2.dll, researchers found that it is an old dll compiled in 2006 without any protection mechanisms. Researchers were able to rename an ACE file and give it a RAR extension. When opened by WinRAR, the fake ACE file with it's malicious payload, was extracted to the system's startup folder and the program would automatically began running when the system started. Ff a hacker used spear-phishing to send a victim an ACE file, and the victim opened the file in WinRAR, the file would automatically extract in the startup folder and malware could then be quickly installed on the system.
The proof of concept exploits a series of vulnerabilities including CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, CVE-2018-20253. WinRAR patched the vulnerabilities in a new version of the software in January as soon as it was made known. WinRAR removed support for the ACE file format from WinRAR in the new Beta version 5.70. On WinRAR's website, they stated that ACE archive format support was removed since they didn't have access to the source code for unacev2.dll. Users of WinRAR should immediately update to WinRAR 5.70.