Security Week 09: 19-year vulnerability in WinRAR

We announce a week of prehistoric bugs. The vulnerability in the WinRAR archiver, detected and closed at the end of January, was described in detail by Check Point Software specialists ( news , original research ). In the worst case, a breach allows you to unpack a malicious file in an arbitrary place on your hard drive, for example, in the Windows autorun directory.

This vulnerability makes you think about the use of hard-to-check third-party libraries in your software, but not only. Today we will briefly talk about the problem itself, about the decision of WinRAR developers to abandon the library for unpacking archives in the ACE format, and also raise the topic of updating WinRAR on users' computers. Looking ahead: although the news and caused a serious resonance, it is rather a story with a happy ending. But on the class of vulnerabilities associated with the processing of any archives arriving on your computer, you should pay special attention.

In the original report, many (interesting) details are given before the demonstration of the problem, but let's immediately look at the result.


')
The prepared archive is saved on the desktop, the user tries to unpack it there, but instead the executable file is written to the autorun directory. How did that happen? The researchers used fuzzing technology, namely the WinAFL package, supported by the Google Project Zero team and the Windows version of the american fuzzy loop program. Like other similar tools, WinAFL allows you to explore the security (or stability) of the software, passing random (or not quite) data to the application and saving the reaction. Fuzzers can be considered a sort of “magic wand” by a security researcher. They help detect a variety of program crashes in places where they should not be.

However, the Check Point report shows that not everything is so simple. The WinRAR study using WinAFL helped to identify several unexpected application crashes and brought researchers to a library that processes archives in the ACE format — a proprietary archival standard. This library (unacev2.dll) was last updated in 2006 and did not have standard protection mechanisms (such as ASLR or DEP). However, she was present in all versions of WinRAR over the past 19 years and, as it turned out later, all this time has been vulnerable. At the time of the discovery of the bug, the WinRAR developers did not have access to its source code. ACE was a commercial archiver in its time, the unpacking library was free, but it was legal to create archives in this format only with the help of WinACE utility utility (updated until 2007, the program website existed until 2017; now it is clearly abandoned software ).

It did not work out to find a simple Path Traversal vulnerability, when the archiver unpacks the file into an arbitrary directory, but this time after studying the features of the format using both the original WinACE program and the freely distributed unpacking code Python. In the next campaign after random glitches, the researchers found a file that was not saved at all to the place where WinAFL should have saved the result of the library launch.



The fact is that the ACE archiver allows you to save the full path to the zipped file. In a normal situation, this path is added to the unpacked path selected by unzipping. During fuzzing, it turned out that some data set made it possible to make the path absolute, that is, to unpack the file, not where the user pointed, but anywhere, but this is not very good. Further it seems to be easy - you need to apply the same trick when working not with the library directly, but with WinRAR itself, right? Not really: the vulnerability was not reproduced. I will not retell the entire history of finding the right combination of parameters and bypassing another validation stage in WinRAR itself: the program checks and removes crime from the save path in order to avoid just such situations. But checks, as it turned out, not all possible options.



It turned out that's what. This is a screenshot of the “prepared” archive analysis using the Python code mentioned above. The double c: \\ at the beginning of the path is processed by the unacev2 library and by WinRAR itself so that the file is written to an arbitrary directory. It seems to be ready to exploit? Again, no, more precisely not quite. Attempting to write an executable file to the startup directory in this configuration will trigger the Windows protection. But the researchers managed to find a way to work around this limitation if the file is saved in the user's directory, for example, in the Downloads folder or on the desktop (which is quite likely). As shown in the video at the beginning, it was possible to save the prepared file to the user's autorun directory by moving to one folder above in the file path.

What is the result? In the version of WinRAR 5.70 Beta 1, the vulnerability was fixed, completely abandoning the use of an outdated library for working with ACE files. It is unlikely that someone will be seriously upset about this. By the way, the advice given in the article on ZDNet, “not to open suspicious archives in ACE format” is a bit wrong. WinRAR does not identify files by permission, and the exploit will work with a vulnerable version of the program, even if the prepared ACE archive has the .rar extension (or any other). Do not open suspicious archives - this is good, but generally it needs to be updated.



And now, for a moment, take a break from the post and see which version of WinRAR you have installed (if, of course, you use this archiver). For orientation: version 5.50 was released in 2017, 5.00 - in 2012, 3.90 - in 2009. With some probability, the release date of WinRAR will roughly correspond to the date of the initial system setup, as there is still no automatic update feature in this program. As can be seen from the tweet of the Zerodium vulnerability broker, there is a demand for working exploits in archivers. Vulnerabilities similar to those found in the ACE archives library can be used for mass or targeted attacks on victims' computers. It should be noted that the chances of successful operation of such a bug are far from one hundred percent. With a high probability, the infected archive will be blocked by the postal service (true, for example, for GMail, now there are no passwords and archives with executable files inside it) or anti-virus software. Unless, of course, you have it.

Nevertheless, all these annoying reminders of the need to update one of the dozens of programs installed on your computer make sense. Otherwise, it is easy to miss a serious vulnerability that will work at the most inopportune moment. In fairness, we note that serious problems in WinRAR appear infrequently.

Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.