Security vulnerability detected in WinRAR software
This week, security researcher Mohammad Reza Espargham announced the discovery of a critical Remote Code Execution (RCE) vulnerability in the popular WinRAR v 5.21 archiver. This program is very popular with users around the world, it is used by more than 500 million people. The vulnerability allows attackers to form a special self-extracting SFX archive that will execute third-party code on the user's computer.
From the user's point of view, this vulnerability is insignificant, since SFX archives are executable files, which means that to activate the exploit, the user must download and run (!) This file, which in itself is a security violation, since launching executable files unknown origin is highly discouraged (they can be malicious in themselves).
The vulnerability is present in the Text and Icon archiver function of the Text to display in SFX window . To do this, the generated text in HTML format must be added to the SFX archive. The vulnerability allows the executable code of the unpacker to download the executable file at the location specified there and execute it. Vulnerability does not work when the SFX archive is unpacked by the archiver itself, and not through manual launch, that is, without activating the initial executable code.
')
Fig. Demonstration of exploitation of vulnerability.
We do not recommend users to run executable files obtained from an untrusted source. It should be noted that WinRAR, by itself, contains a standard function that allows you to run an additional executable file when the user starts the SFX archive. In addition, the WinRAR SFX archives created are not digitally signed, so the user has little chance of making sure that the archive file was not compromised by anyone (genuine). Attackers can take the original SFX archive, modify the unpacker code, and then distribute it to suspicious resources and torrents as legitimate. Such an operation is not an exploitation of any kind of vulnerability, but will lead to similar consequences for the user.
Be secure.
From the user's point of view, this vulnerability is insignificant, since SFX archives are executable files, which means that to activate the exploit, the user must download and run (!) This file, which in itself is a security violation, since launching executable files unknown origin is highly discouraged (they can be malicious in themselves).
The vulnerability is present in the Text and Icon archiver function of the Text to display in SFX window . To do this, the generated text in HTML format must be added to the SFX archive. The vulnerability allows the executable code of the unpacker to download the executable file at the location specified there and execute it. Vulnerability does not work when the SFX archive is unpacked by the archiver itself, and not through manual launch, that is, without activating the initial executable code.
')
Fig. Demonstration of exploitation of vulnerability.
We do not recommend users to run executable files obtained from an untrusted source. It should be noted that WinRAR, by itself, contains a standard function that allows you to run an additional executable file when the user starts the SFX archive. In addition, the WinRAR SFX archives created are not digitally signed, so the user has little chance of making sure that the archive file was not compromised by anyone (genuine). Attackers can take the original SFX archive, modify the unpacker code, and then distribute it to suspicious resources and torrents as legitimate. Such an operation is not an exploitation of any kind of vulnerability, but will lead to similar consequences for the user.
Be secure.
Source: https://habr.com/ru/post/268029/
All Articles