WinRAR, a Windows file compression program involving 500 million users worldwide, recently fixed a 14-year vulnerability allowing attackers to execute malicious code when targets opened a trapped file.
This vulnerability resulted from an absolute vulnerability related to the crossing of a path that resided in UNACEV2.DLL, a third-party code library that has not been updated since 2005. This traversal allowed to Archive files to be extracted into a folder of the creator choose, rather than the folder chosen by the person using the program. Because the third-party library does not use exploit mitigations, such as the randomization of address space layout, there have been few preventative exploits.
The researchers at Check Point Software, the security firm that discovered the vulnerability, initially struggled to understand how to exploit the vulnerability to execute the code of their choice. The most obvious path – to extract an executable file into the Windows Startup folder where it would run at the next reboot – required that WinRAR run with privileges or integrity levels greater than those obtained by default.
To address this hurdle, the researchers wrote an exploit that incorrectly proves the startup folder: "C: C: C: .. AppData Roaming Microsoft Windows Start Menu Programs Startup file_file. exe "Instead of" C: .. AppData Roaming Microsoft Windows Start Menu Programs Startup file_file.exe "- after discovering that a filter function in the UNACEV2 library would convert it to this With this, they created an exploit that dropped the code of their choice when Windows started, where it would be run the next time Windows was restarted, and in release notes released late last month, WinRAR have corrected the vulnerability.
"UNACEV2.DLL was not updated since 2005 and we do not have access to its source code," wrote the officials. "So we decided to remove support for the ACE archive format to protect the security of WinRAR users."
The code execution vulnerability in WinRAR has been around for fourteen years since the creation of the UNACEV2 library, and perhaps earlier, said Check Point researchers in a blog post. In the same article, they compared their proof-of-concept exploit to zero-day attacks, the broker of exploiters Zerodium announced that he would buy for as much as $ 100,000.
We always pay up to $ 100,000 for # 0 day exploits (code execution) affecting the main file archivers: WinRAR, 7-Zip, WinZip (on Windows) or tar (on Linux). For more information: https://t.co/fKnggJyb0H #BigBounties
– Zerodium (@Zerodium) October 18, 2018
It's not clear, it's a relevant comparison. The wording of Zerodium's tweet suggests that the broker may have been looking for a generic exploit that would go against several compression programs. In contrast, the proof of concept exploit only works on WinRAR. The most important impact of Check Point's research could be the spin-offs created if other applications that group UNACEV2 suffer from similar path vulnerabilities.