WinRar vulnerability, unclosed for 19 years, allows to place the unpacked file in any place

Check Point cybersecurity experts have discovered a serious vulnerability in the WinRar archiver. Then they also showed how using this vulnerability it is possible to unpack a file in an arbitrary place - not at all what the user specifies.

Well, since the archiver users are about half a billion, this vulnerability threatens everyone. It is worth noting that the problem in question has existed for 19 years already, nobody has closed the vulnerability during this time.

The specialists who discovered the problem first notified the WinRar developers and they closed the “hole”. And only after that, representatives of Check Point set out the details in the network, talking about the technical details of the already eliminated vulnerability.
')


As it turned out, the problem is related to the UNACEV2.DLL library. It is part of the distribution of almost all versions of the archiver for many years. The library was last updated in 2005. She is responsible for unpacking archives in ACE format (which, by the way, are not so often). It is clear that in the time that has passed since the library was updated, a lot of things happened in the world of information technologies, and they were able to detect the hidden vulnerability without any special problems.

In order to unpack your file in an arbitrary place, you need to create an ACE archive. Only this path will allow to bypass the unpacked directory specified by the user. Information security specialists were able to place malicious software in the Startup directory, from where the malware will run each time the system boots.


The problem is not single, experts have discovered several vulnerabilities at once (CVE-2018-20250, CVE-2018-20251, CVE-2018-20252 and CVE-2018-20253). But they were eliminated in the release of WinRAR 5.70 Beta 1. It is worth noting that the decision was original. Due to the fact that the source code of the UNACEV2.DLL library was lost many years ago, it was decided not to renew it. Nobody carried out reverse engineering of the library, the developers completely refused to support the ACE format.

The creators of WinRar advised users to install the update as quickly as possible, in addition, information security experts recommend not to open the ACE archives, at least those that are received from unknown senders. It may well be that attackers who have learned about the problem will spread infected archives, which will lead to the infection of a large number of user machines.

Now it is not known whether this vulnerability was used by attackers earlier or not. But, as mentioned above, half a billion archiver users are at risk.

It is worth noting that zero-day vulnerabilities such as this are readily bought by companies that are engaged in the acquisition of technology for various states and the military. One of the organizations that is officially engaged in buying vulnerabilities and exploits is Zerodium. Relatively recently, she raised the award for working WhatsApp and iMessage hacking tools from several hundred thousand US dollars to $ 1 million.

“Messaging applications, including WhatsApp, sometimes work as a communication channel for intruders, and encryption makes it difficult for security forces to get the necessary data,” said Zerodium founder Chauki Bekrar.

The clients of this organization were government departments such as Equation Group (FiveEyes, Tilded Team) and Animal Farm (Snowglobe). It is worth noting that not only buyers, but also sellers, including cybersecurity experts, who want to sell the detected vulnerability at high prices, apply to Zerodium and other similar companies. Yes, many software and hardware vendors have their own bounty program, but there are two problems here. The first is that remuneration is not always paid. The second is that the remuneration of the bounty program and Zerodium may differ by several times, and far from in favor of the programs.