WinRAR bug found and patched after 19 years

Security researchers discovered a 19-year-old WinRAR bug that could affect millions of users.

Nadav Grossman, security researcher for Check Point Software Technologies, based in San Carlos, Calif., said he and his team began to fuzz Windows binaries using the open source WinAFL fuzzer tool and found the WinRAR bug. WinRAR is a tool used to extract or compress files into zip format or into the RAR format.

"One of the crashes produced by the fuzzer led us to an old, dated dynamic link library (dll) that was compiled back in 2006 without a protection mechanism (like ASLR [address space layout randomization], DEP, etc.) and is used by WinRAR," Grossman wrote in a blog post last week.

"We turned our focus and fuzzer to this 'low hanging fruit' dll, and looked for a memory corruption bug that would hopefully lead to Remote Code Execution. However, the fuzzer produced a test case with 'weird' behavior," he wrote. "After researching this behavior, we found a logical bug: Absolute Path Traversal. From this point on it was simple to leverage this vulnerability to a remote code execution."

Grossman described the WinRAR bug as being caused by an outdated DLL used to handle the ACE compression format. All a malicious actor would need to do is get a victim to extract a malicious ACE file -- even if it were renamed as a RAR file -- and malware could be extracted to anywhere on the target machine, even the startup folder.

The WinRAR bug affects all versions of the software dating back 19 years and could put millions at risk. WinRAR claims to have more than 500 million users.

Jake Williams, founder and CEO of Rendition Infosec in Augusta, Ga., said the utility is especially popular in China.

"We see it all over the place in two medical networks that bring in visiting Chinese doctors and researchers. There seems to be a cultural shunning of 7-Zip -- which can also do RAR files, if you really wanted to. That might be a 'we've always done it this way' kind of effect," Williams said. "Attackers love RAR for a lot of reasons. So, when we saw it in these networks, we were shocked. Attackers like to use them for data exfiltration."

WinRAR patched the issue in a new 5.70 beta 1 version of the app and noted in a statement on its website that ACE support was removed.

"Aforementioned vulnerability makes possible to create files in arbitrary folders inside or outside of destination folder when unpacking ACE archives. WinRAR used this third party library to unpack ACE archives," WinRAR wrote. "UNACEV2.DLL had not been updated since 2005 and we do not have access to its source code. So we decided to drop ACE archive format support to protect security of WinRAR users."

However, experts like Tal Be'ery, co-founder of cryptocurrency wallet maker KZen Networks, based in Tel Aviv, Israel, were worried whether the patch would make it to users, because WinRAR doesn't have an auto-update feature.

The icing on the attackers cake, WinRAR needs to be proactively updated by users to remediate. I think we should expect many malicious RAR (ACE inside) attachments.@GossiTheDog do you have a honey pot for attachments? https://t.co/CPNFklwDNE

— Tal Be'ery (@TalBeerySec) February 20, 2019