WinRAR critical vulnerability

Iranian researcher Mohammad Reza Espargham discovered the RCE vulnerability (remote code execution) in one of the most popular archiving utilities, WinRAR. This utility is used by about 500 million users worldwide, which makes the vulnerability quite common.

Vulnerability is in insufficient data processing from the panel of the “Text” module, tab “Text to display in SFX window”. The attacker can supply the sfx archive with an additional payload (payload) to attack the target system. The danger is that the user, even having suspected and checking the file with the antivirus, most likely will not be able to detect the “hidden surprise” in the archive attachment.
')
The vulnerability is related to the possibility of modifying WinRAR self-extracting archives (SFX) in such a way that at the moment of launch they run the executable code.

The description of the vulnerability is quite simple: http://seclists.org/fulldisclosure/2015/Sep/106

1. Run perl code: perl poc.pl
2. Right click on any file and select "add to archive ..."
3. Select "Create SFX archive"
4. Go to the Advanced Menu and select "SFX options ..."
5. Go to the "Text and icon" Menu
6. Copy this perl output (HTML) and past on "Text to display in SFX window"
7. Click OK - OK
8. Your SFX file Created
9. Just open sfx file
10. Your Link Download / Execute on your target
11. Successful reproduce of the code execution vulnerability!

Although archives are currently one of the most popular means of delivering malicious code, WinRAR representatives pointed out that the self-extracting SFX archive itself is quite dangerous, however, this kind of vulnerability opens up additional possibilities for compromising information systems to attackers.

“If you’re not a problem, you’ll be able to use it. code or archived executables for their purpose. If you receive a trustworthy source, you can only remind users once again to run .exe files.

An example of an attack demonstration: