The vulnerability was the result of an absolute path traversal flaw that resided in UNACEV2.DLL, a third-party code library that hasn’t been updated since 2005. The traversal made it possible for archive files to extract to a folder of the archive creator’s choosing rather than the folder chosen by the person using the program. Because the third-party library doesn’t make use of exploit mitigations such as address space layout randomization, there were little-preventing exploits.
The bug has been discovered by the researcher from the Check Point Software, who found that WinRAR used outdated third-party code library that was compiled back in 2006 without a protection mechanism (like ASLR, DEP, etc.).
Initially, they had trouble figuring out how to exploit the vulnerability in a way that executed code of their choosing. But with some trick and path traversal, they managed to have an executable file extracted to the Windows startup folder where it would run on the next reboot.
To make the exploit work, researcher misrepresented the startup folder by -
“C:\C:C:..\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\some_file.exe” instead of “C:..\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\some_file.exe”
Because there is no protection mechanism on UNACEV2 library, the filter function converts it to latter location.
With that, they created an exploit that dropped code of their choice into the Windows startup, where it would be executed the next time Windows rebooted.
On the same post, the researcher also compares his proof-of-concept exploit to zero-day attacks exploit broker Zerodium said it would buy for as much as $100,000.
We're still paying up to $100,000 for #0day exploits (code execution) affecting major file archivers: WinRAR, 7-Zip, WinZip (on Windows) or tar (on Linux). For more information: https://t.co/fKnggJyb0H #BigBounties— Zerodium (@Zerodium) October 18, 2018
The researcher also shared the video demonstration of the bug showing how simply extracting the files with WinRAR could compromise the whole system.
Just a hours ago the exploit code for this bug (CVE-2018-20250) have released on guthub. You can get here with the technical details and poc.