For nearly 20 years, a severe vulnerability has been hidden inside the popular compression utility WinRAR that an attacker could use to get complete control of a victim’s machine with very little effort.
WinRAR is used to compress and unpack various file formats and has been around for almost 25 years. Check Point Research decided to have a look at WinRAR recently and see if there were any easily exploitable vulnerabilities. Using a fuzzer, the researchers found a number of crashes, one of which led them to focus on a DLL that’s included with WinRAR and is used specifically to parse files in the ACE format. The researchers were expecting to find some kind of memory corruption vulnerability, but stumbled upon something else, instead.
“We turned our focus and fuzzer to this ‘low hanging fruit’ dll, and looked for a memory corruption bug that would hopefully lead to Remote Code Execution. However, the fuzzer produced a test case with ‘weird’ behavior. After researching this behavior, we found a logical bug: Absolute Path Traversal. From this point on it was simple to leverage this vulnerability to a remote code execution,” Nadav Grossman of Check Point Research wrote in an analysis of the fuzzing and research effort.
“We found that WinRAR uses a dll named unacev2.dll for parsing ACE archives. A quick look at this dll revealed that it’s an old dated dll compiled in 2006 without a protection mechanism. In the end, it turned out that we didn’t even need to bypass them.”
The DLL that the researchers targeted did not have any of the exploit mitigations that modern ones typically have, such as ASLR or DEP. Those mitigations can help prevent exploits from reaching vulnerabilities, but they weren’t as widely used in 2006 as they would become a few years later. The Check Point researchers were able to develop an exploit for the vulnerability they discovered and the exploit allows them to run arbitrary code on a victim’s machine.
“We can gain code execution, by extracting a compressed executable file from the ACE archive to one of the Startup Folders. Any files that reside in the Startup folders will be executed at boot time,” Grossman wrote.
“To craft an ACE archive that extracts its compressed files to the Startup folder seems to be trivial, but it’s not.”
The vulnerability the Check Point researchers discovered affects versions of WinRAR stretching back for 19 years. As a result of Check Point’s research, WinRAR decided to drop support for the ACE archive format altogether.
“Aforementioned vulnerability makes possible to create files in arbitrary folders inside or outside of destination folder when unpacking ACE archives. WinRAR used this third party library to unpack ACE archives. UNACEV2.DLL had not been updated since 2005 and we do not have access to its source code. So we decided to drop ACE archive format support to protect security of WinRAR users,” WinRAR said in a statement.