WinRAR, a Windows file compression program with 500 million users worldwide, recently fixed a 14-year-old vulnerability that made it possible for attackers to execute malicious code when targets opened a booby-trapped file.
The vulnerability was the result of an absolute path traversal flaw that resided in UNACEV2.DLL, a third-party code library that hasn’t been updated since 2005. The traversal made it possible for archive files to extract to a folder of the archive creator’s choosing, rather than the folder chosen by the person using the program. Because the third-party library doesn’t make use of exploit mitigations such as address space layout randomization, there was little preventing exploits.
Researchers from Check Point Software, the security firm that discovered the vulnerability, initially had trouble figuring out how to exploit the vulnerability in a way that executed code of their choosing. The most obvious path—to have an executable file extracted to the Windows startup folder where it would run on the next reboot—required WinRAR to run with higher privileges or integrity levels than it gets by default.
To clear that hurdle, the researchers wrote a proof-of-concept exploit that misrepresented the startup folder—“C:C:C:..AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupsome_file.exe” instead of “C:..AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupsome_file.exe”—after discovering that a filter function in UNACEV2 library would convert it to the latter location. With that, they created an exploit that dropped code of their choice into the Windows startup, where it would be executed the next time Windows rebooted. In release notes published late last month, WinRAR officials said they patched the vulnerability.
“UNACEV2.DLL had not been updated since 2005 and we do not have access to its source code,” the officials wrote. “So we decided to drop ACE archive format support to protect security of WinRAR users.”
The code-execution vulnerability in WinRAR has existed the entire 14 years since the UNACEV2 library was created, and possibly earlier, Check Point researchers said in a blog post. In the same post, they compared their proof-of-concept exploit to zero-day attacks exploit broker Zerodium said it would buy for as much as $100,000.
We’re still paying up to $100,000 for #0day exploits (code execution) affecting major file archivers: WinRAR, 7-Zip, WinZip (on Windows) or tar (on Linux). For more information: https://t.co/fKnggJyb0H #BigBounties
— Zerodium (@Zerodium) October 18, 2018
It’s not clear it’s an apt comparison. The phrasing of Zerodium’s tweet suggests the broker may have been looking for a generic exploit that would work against multiple compression programs. The proof-of-concept exploit, by contrast, works only on WinRAR. The more significant impact of Check Point’s research may be the fallout created if other apps that bundle UNACEV2 suffer from similar traversal vulnerabilities.