topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 7:36 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Nasty code-execution bug in WinRAR threatened millions of users for 14 years  (Read 6327 times)

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
WinRAR, a Windows file compression program with 500 million users worldwide, recently fixed a more than 14-year-old vulnerability that made it possible for attackers to execute malicious code when targets opened a booby-trapped file.

The vulnerability was the result of an absolute path traversal flaw that resided in UNACEV2.DLL, a third-party code library that hasn’t been updated since 2005. The traversal made it possible for archive files to extract to a folder of the archive creator’s choosing rather than the folder chosen by the person using the program. Because the third-party library doesn’t make use of exploit mitigations such as address space layout randomization, there was little preventing exploits.


rgdot

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 2,192
    • View Profile
    • Donate to Member
I knew there was a reason everybody could keep using it even after trial period expired  :P

Note: I have used 7-zip in the past and currently Peazip, good enough imo

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
This can affect you, even if you are not trying to open an .ace file, as the vulnerability can be exploited with a specially crafted .ace file, renamed to .rar. WinRAR's fix for the problem was to completely drop support for the ACE format, since they don't have access to the UNACEV2.DLL source code, to patch it.

https://threatpost.c...illion-users/142080/

If you are using an older version of WinRAR and don't want to pay for an upgrade to the latest beta version, just yet, you can fix the problem, removing the vulnerable code yourself, by deleting the UNACEV2.DLL file from the WinRAR program folder. WinRAR will still work just fine without it, but won't be able to extract .ace files.

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,645
    • View Profile
    • Donate to Member
Interesting - I wonder if this exploit has been used in the wild?

Also: 
The more significant impact of Check Point’s research may be the fallout created if other apps that bundle UNACEV2 suffer from similar traversal vulnerabilities.

I use PowerArchiver and it contains a UNACEV2.dll (though it's from 2007, not 2005).  I'll have to ask about this on their forum.  In the meantime I have removed the DLL.  The program seems to still run fine - I assume it only loads the DLL is it has to deal with an ACE archive. If you use any archiving utility it might not be a bad idea to check if that DLL is used.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Thanks for posting this -- blogged it.