- The popular file-archiving tool had a serious security bug that allowed attackers to compromise user systems using malicious archives.
- It is estimated that over 500 million WinRAR users are affected by this vulnerability present in older versions.
WinRAR, one of the most popular file archiving program used by Windows users, was found to have a serious security flaw in the program.
Security firm Check Point’s research division which discovered this bug a couple of days ago, stated that the flaw existed for over 19 years. An outdated dynamic link library (DLL) in WinRAR lacking any security mechanism, led to a memory execution bug allowing attackers to orchestrate remote code execution (RCE) attacks.
Malicious archive files can be used for exploitation
When the research team conducted a fuzzing process using WinAFL fuzzer, they found that multiple archive formats such as RAR, LZH, and ACE were crashing during extraction. It was mainly due to memory-related vulnerabilities like out-of-bounds write, as per the researchers.
These flaws did not compromise the program’s control to any other processes. However, the ACE crashing could allow external entities to deploy malicious archives.
“The exploitation of these vulnerabilities, though, is not trivial because the primitives supplied limited control over the overwritten buffer. However, a crash related to the parsing of the ACE format caught our eye. We found that WinRAR uses a DLL named unacev2.dll for parsing ACE archives. A quick look at this DLL revealed that it’s an old dated DLL compiled in 2006 without a protection mechanism. In the end, it turned out that we didn’t even need to bypass them,” elaborates Check Point’s blog.
After CheckPoint informed the WinRAR team, the latter decided to drop the DLL file altogether in its functionality. “UNACEV2.DLL had not been updated since 2005 and we do not have access to its source code. So we decided to drop ACE archive format support to protect security of WinRAR users,” read WinRAR’s latest release notes.