Serious RCE Vulnerability Affects Older WinRAR Versions

Heads up, WinRAR users! If you’re still running the older versions of the freeware utility, then it’s time to update your systems now. A serious remote code execution vulnerability cripples older WinRAR versions that the vendors have fixed in the latest release.

WinRAR RCE Vulnerability

Researchers from Positive Technologies have uncovered a critical vulnerability in the WinRAR file archive utility allowing remote code execution.

WinRAR is a dedicated file archiving utility for Windows and Android. The software is available as a shareware, encouraging users to subscribe to premium versions for an inclusive experience. However, the tool doesn’t restrict users from using it for free. Hence, it’s popular as a free file compression tool for packing and unpacking .zip and .rar files.

As elaborated in their post, the researchers found the bug “by chance” in the WinRAR 5.70 trial version while using. They observed a JavaScript error that popped up unexpectedly, hinting at an Internet Explorer instance when displaying the trial-period notifier window.

After a few experiments, it became clear that once the trial period has expired, then about one time out of three launches of WinRAR.exe application result in this notification window being shown. This window uses mshtml.dll implementation for Borland C++ in which WinRAR has been written.

The researchers then evaluated if an adversary could exploit the phenomenon maliciously. They found that replacing the default domain could easily redirect all requests to the other domain.

Instead of intercepting and changing the default domain “notifier.rarlab.com” responses each time with our malicious content, we noticed that if the response code is changed to “301 Moved Permanently” then the redirection to our malicious domain “attacker.com” will be cached and all requests will go to the “attacker.com”.

Thus, an adversary could conduct MiTM attacks via ARP spoofing and gain access to the target users’ devices. The attacker could also open other apps and run scripts on the target device.

Although, some of these actions might display prompts to alert the target user of unidentified actions. However, running .docx, .pdf, .py, and .rar files would show no alerts.

Patch Deployed

The vulnerability has received the CVE ID CVE-2021-35052, but the details about the CVSS score and severity are yet unavailable.

Following the bug report, the vendors have patched the bug with the latest WinRAR version 6.0.2.

Given the potential security risks with the bug, users must ensure downloading the latest WinRAR version to remain safe.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients