Zero-Day WinRAR Remote Code Execution Flaw Allows Full PC Takeover

A patch has been released to correct a 19-year old zero-day WinRAR remote code execution vulnerability. The flaw was identified by security researchers at Check Point who were able to successfully exploit the flaw to take full control of a vulnerable computer.

All that is required is to send an email to someone with an out-of-date version of the software installed on their computer and convince them to open an attached compressed file.

WinRAR is a popular data compression tool. Approximately 500 million users have WinRAR installed on their computer and are vulnerable to an attack.

The zero-day WinRAR flaw is a path-traversal vulnerability in unacev2.dll, which is a third-party dynamic link library file which is used for parsing ACE archives. The file dates back to 2006 and does not have any protection mechanisms in place.

Check Point researchers renamed and ACE file with a .rar extension within unacev.dll and, when opened, the compressed file extracted a malicious file within the system startup folder. The process would occur without the user’s knowledge when they opened a doctored ACE file. Such a file could easily be distributed via a phishing campaign. Once extracted, the malicious file will be automatically executed when the system is rebooted.

Check Point has published a PoC and has demonstrated how an attack could take place. In its example, opening the compressed file extracted a benign file to the Desktop indicating that the extraction process was successful, but unbeknown to the user, the malicious executable was also loaded into the startup folder. Once the computer is rebooted, the attacker could gain full control of the infected device.

The bug was reported to WinRAR which updated its software in January to correct the flaw. WinRAR has now dropped support for the ACE archive format to ensure the flaw cannot be exploited.

Users should check to see if WinRAR is installed on their computer and if so, the WinRAR should be updated immediately.

Author: NetSec Editor