ngCERT Advisory 19-years-old WinRAR vulnerability leads to over 100 malware exploits

Risk:
high
Damage:
high
Platform(s):
Microsoft® Windows OS
Advisory ID:
ngCERT-2019-0006
Version:
1.00
CVE:
CVE-2019-557
Published:
January 17, 2020

Summary


ngCERT Advisory 19-years-old WinRAR vulnerability leads to over 100 malware exploits

Description & Consequence


OVERVIEW WinRAR is a trialware file archiver utility for Windows which can create and view archives in RAR or ZIP file formats and unpack numerous archive file formats. Description and Consequences According to the WinRAR website, over 500 million users worldwide make WinRAR the world’s most popular compression too. While a patched version, 5.70, was released on February 26, attackers are releasing exploits in an effort to reach vulnerable systems before they can be patched, when a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious payload is created in the Startup folder behind the scenes. User Account Control (UAC) does not apply, so no alert is displayed to the user. The next time the system restarts, the malware is run.

Solution


To create an exploit file, which causes WinRAR to extract an archived file to an arbitrary path (Path Traversal), extract to the Startup Folder (which gains code execution after reboot) instead of to the destination folder. We should bypass two filter functions to trigger the bug. To trigger the concatenation of an empty string to the relative path of the compressed file, instead of the destination folder: Note: However, there is a callback function in WinRAR code that is used as a validator/filter function. During the extraction process, unacev2.dll is called to the callback function that resides in the WinRAR code. The callback function validates the relative path of the compressed file. If the blacklist sequence is found, the extraction operation will be aborted.

Reference


  1. https://www.slashgear.com/19-years-old-winrar-vulnerability-leads-to-over-100-malware-exploits-16569928/
  2. https://research.checkpoint.com/extracting-code-execution-from-winrar/

Revision


Related Articles