Nasty code-execution bug in WinRAR threatened millions of users for 14 years

[Spartan]

Researchers from Check Point Software, the security firm that discovered the vulnerability, initially had trouble figuring out how to exploit the vulnerability in a way that executed code of their choosing. The most obvious path—to have an executable file extracted to the Windows startup folder where it would run on the next reboot—required WinRAR to run with higher privileges or integrity levels than it gets by default.

To clear that hurdle, the researchers wrote a proof-of-concept exploit that misrepresented the startup folder—“C:\C:C:..\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\some_file.exe” instead of “C:..\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\some_file.exe”—after discovering that a filter function in UNACEV2 library would convert it to the latter location. With that, they created an exploit that dropped code of their choice into the Windows startup, where it would be executed the next time Windows rebooted. In release notes published late last month, WinRAR officials said they patched the vulnerability.

“UNACEV2.DLL had not been updated since 2005 and we do not have access to its source code,” the officials wrote. “So we decided to drop ACE archive format support to protect security of WinRAR users.”

The code-execution vulnerability in WinRAR has existed the entire 14 years since the UNACEV2 library was created, and possibly earlier, Check Point researchers said in a blog post. In the same post, they compared their proof-of-concept exploit to zero-day attacks exploit broker Zerodium said it would buy for as much as $100,000.

[karthikn]

Anduke I always use 7zip. Frock winrar