Security Week 09: 19-year vulnerability in WinRAR
We announce a week of prehistoric bugs. The vulnerability in the WinRAR archiver, discovered and closed at the end of January, was described in detail by Check Point Software specialists ( news , original research ). In the worst case, a breach allows you to unpack the malicious file to an arbitrary location on your hard drive, for example, to the Windows autorun directory.
This vulnerability makes you think about using hard-to-verify third-party libraries in your software, but not only. Today we will briefly talk about the problem itself, about the decision of WinRAR developers to abandon the library for unpacking archives in ACE format, and we will also raise the topic of updating WinRAR on users' computers. Looking ahead: although the news caused a serious resonance, it is rather a story with a happy end. But the class of vulnerabilities associated with the processing of any archives arriving on your computer is worth paying special attention to.
In the original report, before demonstrating the problem, there are many (interesting) details, but let's look at the result right away.
The prepared archive is saved on the desktop, the user tries to unzip it there, but instead the executable file is written to the autorun directory. How did it happen? Researchers used fuzzing technology, namely the WinAFL package , supported by the Google Project Zero team and which is the Windows version of american fuzzy loop . Like other similar tools, WinAFL allows you to examine the security (or stability) of software by passing random (or not quite) data to the application and preserving the reaction. Fuzzers can be considered a kind of "magic wand" of a security researcher. They help detect various program crashes in places where they should not be.
However, a Check Point report shows that things are not so simple. WinAAR research with WinAFL helped to identify several unexpected crashes of the application and led researchers to a library that processes archives in ACE format - a proprietary archive standard. This library (unacev2.dll) was last updated in 2006 and did not have standard protection mechanisms (such as ASLR or DEP). Moreover, she was present in all versions of WinRAR over the past 19 years and, as it turned out later, all this time was vulnerable. At the time the bug was discovered, WinRAR developers did not have access to its source code. ACE was generally a commercial archiver at one time, the unpacking library was free, but legally creating archives in this format was possible only using the proprietary WinACE utility (it was updated until 2007,The program website existed until 2017; and now this is clearly abandoned software).
Finding a simple vulnerability like Path Traversal when the archiver unpacks the file into an arbitrary directory did not work, I had to set up a fuzzing utility again, but this time after studying the format features using both the original WinACE program and the freely distributed code for unpacking to Python. In the next trip for random glitches, the researchers found a file that was not saved at all where WinAFL was supposed to save the result of running the library.
The fact is that the ACE archiver allows you to save the full path to the zipped file. In a normal situation, this path is added to the unpack path selected when unzipping. During fuzzing, it turned out that some data set made it possible to make the path absolute, that is, unpack the file not where the user indicated, but anywhere, but this is not very good. Further it seems to be simple - you need to apply the same trick when working not with the library directly, but with WinRAR itself, right? Not really: the vulnerability was not reproduced. I will not retell the entire history of finding the right combination of parameters and bypassing another stage of validation in WinRAR itself: the program checks and removes the crime from the save path in order to avoid just such situations. But it checks, as it turned out, not all possible options.
This is what happened. This is a screenshot of the analysis of a “prepared” archive using the Python code mentioned above. The double c: \\ at the beginning of the path is processed by the unacev2 library and WinRAR itself so that the file is written to an arbitrary directory. It seems to be an exploit ready? Again no, or rather not really. Attempting to write the executable to the autorun directory in this configuration will trigger Windows protection. But the researchers managed to find a way around this limitation if the file is saved in the user's directory, for example, in the Downloads folder or on the desktop (which is quite likely). As shown in the video at the beginning, the prepared file was saved to the user autorun directory by navigating to one folder higher in the file path.
What is the result? In WinRAR 5.70 Beta 1, the vulnerability was fixed by completely abandoning the use of an outdated library for working with ACE files. It is unlikely that anyone will be seriously upset about this. By the way, the advice given in an article on the ZDNet website - “Do not open suspicious archives in ACE format” - is a bit wrong. WinRAR does not detect files by permission, and the exploit will work with a vulnerable version of the program, even if the prepared ACE archive has the RAR extension (or any other). Do not open suspicious archives - this is good, but generally need to be updated.
Now take your mind off the post for a minute and see what version of WinRAR you have installed (unless, of course, you use this archiver). For reference: version 5.50 was released in 2017, 5.00 - in 2012, 3.90 - in 2009. With some probability, the release date of WinRAR will approximately correspond to the date of initial setup of the system, since there is still no automatic update function in this program. As you can see from the tweet of the Zerodium vulnerability broker company, there is a demand for working exploits in archivers. Vulnerabilities such as those found in the library for ACE archives can be used for mass or targeted attacks on victims' computers. It should be noted that the chances of successful operation of such a bug are far from absolute. It is highly likely that the infected archive will be blocked by the mail service (for example, for GMail, password protected archives and archives with executable files inside) or antivirus software are no longer allowed there. Unless, of course, you have it.
Nevertheless, all these annoying reminders of the need to update one of the dozens of programs installed on the computer make sense. Otherwise, it is easy to miss a serious vulnerability that will work at the most inopportune moment. In fairness, we note that serious problems in WinRAR appear infrequently.
Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend treating any opinions with healthy skepticism.
This vulnerability makes you think about using hard-to-verify third-party libraries in your software, but not only. Today we will briefly talk about the problem itself, about the decision of WinRAR developers to abandon the library for unpacking archives in ACE format, and we will also raise the topic of updating WinRAR on users' computers. Looking ahead: although the news caused a serious resonance, it is rather a story with a happy end. But the class of vulnerabilities associated with the processing of any archives arriving on your computer is worth paying special attention to.
In the original report, before demonstrating the problem, there are many (interesting) details, but let's look at the result right away.
The prepared archive is saved on the desktop, the user tries to unzip it there, but instead the executable file is written to the autorun directory. How did it happen? Researchers used fuzzing technology, namely the WinAFL package , supported by the Google Project Zero team and which is the Windows version of american fuzzy loop . Like other similar tools, WinAFL allows you to examine the security (or stability) of software by passing random (or not quite) data to the application and preserving the reaction. Fuzzers can be considered a kind of "magic wand" of a security researcher. They help detect various program crashes in places where they should not be.
However, a Check Point report shows that things are not so simple. WinAAR research with WinAFL helped to identify several unexpected crashes of the application and led researchers to a library that processes archives in ACE format - a proprietary archive standard. This library (unacev2.dll) was last updated in 2006 and did not have standard protection mechanisms (such as ASLR or DEP). Moreover, she was present in all versions of WinRAR over the past 19 years and, as it turned out later, all this time was vulnerable. At the time the bug was discovered, WinRAR developers did not have access to its source code. ACE was generally a commercial archiver at one time, the unpacking library was free, but legally creating archives in this format was possible only using the proprietary WinACE utility (it was updated until 2007,The program website existed until 2017; and now this is clearly abandoned software).
Finding a simple vulnerability like Path Traversal when the archiver unpacks the file into an arbitrary directory did not work, I had to set up a fuzzing utility again, but this time after studying the format features using both the original WinACE program and the freely distributed code for unpacking to Python. In the next trip for random glitches, the researchers found a file that was not saved at all where WinAFL was supposed to save the result of running the library.
The fact is that the ACE archiver allows you to save the full path to the zipped file. In a normal situation, this path is added to the unpack path selected when unzipping. During fuzzing, it turned out that some data set made it possible to make the path absolute, that is, unpack the file not where the user indicated, but anywhere, but this is not very good. Further it seems to be simple - you need to apply the same trick when working not with the library directly, but with WinRAR itself, right? Not really: the vulnerability was not reproduced. I will not retell the entire history of finding the right combination of parameters and bypassing another stage of validation in WinRAR itself: the program checks and removes the crime from the save path in order to avoid just such situations. But it checks, as it turned out, not all possible options.
This is what happened. This is a screenshot of the analysis of a “prepared” archive using the Python code mentioned above. The double c: \\ at the beginning of the path is processed by the unacev2 library and WinRAR itself so that the file is written to an arbitrary directory. It seems to be an exploit ready? Again no, or rather not really. Attempting to write the executable to the autorun directory in this configuration will trigger Windows protection. But the researchers managed to find a way around this limitation if the file is saved in the user's directory, for example, in the Downloads folder or on the desktop (which is quite likely). As shown in the video at the beginning, the prepared file was saved to the user autorun directory by navigating to one folder higher in the file path.
What is the result? In WinRAR 5.70 Beta 1, the vulnerability was fixed by completely abandoning the use of an outdated library for working with ACE files. It is unlikely that anyone will be seriously upset about this. By the way, the advice given in an article on the ZDNet website - “Do not open suspicious archives in ACE format” - is a bit wrong. WinRAR does not detect files by permission, and the exploit will work with a vulnerable version of the program, even if the prepared ACE archive has the RAR extension (or any other). Do not open suspicious archives - this is good, but generally need to be updated.
Now take your mind off the post for a minute and see what version of WinRAR you have installed (unless, of course, you use this archiver). For reference: version 5.50 was released in 2017, 5.00 - in 2012, 3.90 - in 2009. With some probability, the release date of WinRAR will approximately correspond to the date of initial setup of the system, since there is still no automatic update function in this program. As you can see from the tweet of the Zerodium vulnerability broker company, there is a demand for working exploits in archivers. Vulnerabilities such as those found in the library for ACE archives can be used for mass or targeted attacks on victims' computers. It should be noted that the chances of successful operation of such a bug are far from absolute. It is highly likely that the infected archive will be blocked by the mail service (for example, for GMail, password protected archives and archives with executable files inside) or antivirus software are no longer allowed there. Unless, of course, you have it.
Nevertheless, all these annoying reminders of the need to update one of the dozens of programs installed on the computer make sense. Otherwise, it is easy to miss a serious vulnerability that will work at the most inopportune moment. In fairness, we note that serious problems in WinRAR appear infrequently.
Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend treating any opinions with healthy skepticism.