ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

Nasty code-execution bug in WinRAR threatened millions of users for 14 years


WinRAR, a Windows file compression program with 500 million users worldwide, recently fixed a more than 14-year-old vulnerability that made it possible for attackers to execute malicious code when targets opened a booby-trapped file.

The vulnerability was the result of an absolute path traversal flaw that resided in UNACEV2.DLL, a third-party code library that hasn’t been updated since 2005. The traversal made it possible for archive files to extract to a folder of the archive creator’s choosing rather than the folder chosen by the person using the program. Because the third-party library doesn’t make use of exploit mitigations such as address space layout randomization, there was little preventing exploits.
--- End quote ---

I knew there was a reason everybody could keep using it even after trial period expired  :P

Note: I have used 7-zip in the past and currently Peazip, good enough imo

This can affect you, even if you are not trying to open an .ace file, as the vulnerability can be exploited with a specially crafted .ace file, renamed to .rar. WinRAR's fix for the problem was to completely drop support for the ACE format, since they don't have access to the UNACEV2.DLL source code, to patch it.

If you are using an older version of WinRAR and don't want to pay for an upgrade to the latest beta version, just yet, you can fix the problem, removing the vulnerable code yourself, by deleting the UNACEV2.DLL file from the WinRAR program folder. WinRAR will still work just fine without it, but won't be able to extract .ace files.

Interesting - I wonder if this exploit has been used in the wild?

Also:  The more significant impact of Check Point’s research may be the fallout created if other apps that bundle UNACEV2 suffer from similar traversal vulnerabilities.
--- End quote ---

I use PowerArchiver and it contains a UNACEV2.dll (though it's from 2007, not 2005).  I'll have to ask about this on their forum.  In the meantime I have removed the DLL.  The program seems to still run fine - I assume it only loads the DLL is it has to deal with an ACE archive. If you use any archiving utility it might not be a bad idea to check if that DLL is used.

Thanks for posting this -- blogged it.


[0] Message Index

Go to full version