An Old WinRAR Vulnerability Left Users At Risk For Two Decades

Have you ever thought that an apparently harmless yet useful tool like WinRAR could pose security threats? Certainly seems so as highlighted in a recent report, the vendors have patched a WinRAR vulnerability with the latest software version. What’s more worrying is that the flaw existed for around two decades threatening 500 million users.

ACE WinRAR Vulnerability Discovered

Researchers from Check Point Research have discovered a flaw in popular archive tool WinRAR. Exploiting this WinRAR vulnerability could let a remote attacker execute code on the target machine. The researchers have described the details of the flaw in their recent blog post.

As revealed, they found a logical vulnerability ‘Absolute Path Traversal’ affecting an old dynamic link library (DLL) file. The vulnerability existed since the DLL was created back in 2006 without security.

“We found a Path Traversal vulnerability in unacev2.dll. It enables our harness to extract the file to an arbitrary path, and completely ignore the destination folder, and treats the extracted file relative path as the full path.”

To exploit the flaw, an attacker simply had to rename an ACE file to RAR. Then WinRAR could extract the malicious code from this .rar file and save it to the target computer’s Startup folder. This could result in code execution the next time the computer starts.

The following demonstrates how the archive saves the malicious code.

WinRAR Ended Support For ACE Format

After receiving the report of the flaw, RARLAB didn’t intend to fix the flaw. Rather they decided to end support for the vulnerable ACE format right away. As stated on their website,

“WinRAR used this third party library to unpack ACE archives. UNACEV2.DLL had not been updated since 2005 and we do not have access to its source code. So we decided to drop ACE archive format support to protect security of WinRAR users.”

Hence, with the WinRAR version 5.7 beta 1, WinRAR ends support for ACE files.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil