WinRAR Fixed Critical RCE Bug that Remained for 14 Years

Admin

Updated on: February 22, 2019

Popular file compression program 'WinRAR' that have more than 500 millions users worldwide have recently patched Remote Code Execution bug which resided for the last 14 years.

The vulnerability was the result of an absolute path traversal flaw that resided in UNACEV2.DLL, a third-party code library that hasn’t been updated since 2005. The traversal made it possible for archive files to extract to a folder of the archive creator’s choosing rather than the folder chosen by the person using the program. Because the third-party library doesn’t make use of exploit mitigations such as address space layout randomization, there were little-preventing exploits.

The bug has been discovered by the researcher from the Check Point Software, who found that WinRAR used outdated third-party code library that was compiled back in 2006 without a protection mechanism (like ASLR, DEP, etc.).

Initially, they had trouble figuring out how to exploit the vulnerability in a way that executed code of their choosing. But with some trick and path traversal, they managed to have an executable file extracted to the Windows startup folder where it would run on the next reboot.

To make the exploit work, researcher misrepresented the startup folder by -

“C:\C:C:..\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\some_file.exe” instead of “C:..\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\some_file.exe”

Because there is no protection mechanism on UNACEV2 library, the filter function converts it to latter location.
With that, they created an exploit that dropped code of their choice into the Windows startup, where it would be executed the next time Windows rebooted.

On the same post, the researcher also compares his proof-of-concept exploit to zero-day attacks exploit broker Zerodium said it would buy for as much as $100,000.

We're still paying up to $100,000 for #0day exploits (code execution) affecting major file archivers: WinRAR, 7-Zip, WinZip (on Windows) or tar (on Linux). For more information: https://t.co/fKnggJyb0H #BigBounties
— Zerodium (@Zerodium) October 18, 2018

The code-execution vulnerability in WinRAR has existed the entire 14 years since the UNACEV2 library was created, and possibly earlier.
The researcher also shared the video demonstration of the bug showing how simply extracting the files with WinRAR could compromise the whole system.

WinRAR have fixed the bug and released the patched version. As the bug was due to third-party library UNACEV2.dll, which did not comply from a long time, and WinRAR team do not have access to its source code. So they decided to drop ACE archive format support to protect the security of WinRAR users.

Update:
Just a hours ago the exploit code for this bug (CVE-2018-20250) have released on guthub. You can get here with the technical details and poc.