Security researchers reveal details of serious bug in compression tool WinRAR
If you're a user of WinRAR -- a staple tool for decompressing files whose popularity stems from not only its support for RAR files, but also its never-ending trial period -- it's time to ensure you have the latest security patch installed.
Security experts from Check Point Research have revealed details of a serious bug that has been present in the software for at least 14 years. The archiving tool was found to have a vulnerability in one of its .dll files, which could be exploited by simply opening a compressed file, and allows an attacker to "gain full control over a victim's computer".
- GitHub widens the scope of its bug bounty program and increases rewards
- Kali Linux 2019.1 with Metasploit 5.0 available for download
- Dirty_Sock vulnerability in Canonical's snapd could give root access on Linux machines
- KeySteal: huge macOS vulnerability can be exploited to reveal keychain passwords
The problem lies in the file unacev2.dll which WinRAR uses for parsing ACE archives. While it is fair to say that ACE is far from the most commonly-used compression format, Check Point Research was surprised to find that WinRAR used a 2006 version of the .dll which was not entirely secure.
The exploit is an absolute path traversal vulnerability, and it can be exploited by disguising a malicious ACE file as a RAR archive. The flaw has multiple implications. Not only does it mean it is possible for an attacker to extract the contents of an archive to a location of their choosing rather than where a user wants, it is possible to drop malicious files into Windows Startup folder -- with potentially drastic consequences.
Check Point Research has written up its findings, and also shared a proof of concept video:
Check Point worked with RAR Labs to get the problem addressed. Last month, the WinRAR developer released an updated version of the software, with a note in the changelog about the vulnerability:
Nadav Grossman from Check Point Software Technologies informed us about a security vulnerability in UNACEV2.DLL library. Aforementioned vulnerability makes possible to create files in arbitrary folders inside or outside of destination folder when unpacking ACE archives.
WinRAR used this third party library to unpack ACE archives. UNACEV2.DLL had not been updated since 2005 and we do not have access to its source code. So we decided to drop ACE archive format support to protect security of WinRAR users.
We are thankful to Check Point Software Technologies for reporting this issue.
So in short, you need to upgrade to the latest version of WinRAR to ensure you are protected -- it just means you will lose the ability to work with ACE archives.