
WinRar vulnerability, unclosed for 19 years, allows you to place the unpacked file in any place

Check Point cybersecurity experts have discovered a serious vulnerability in the WinRar archiver. Then they showed how, using this vulnerability, it is possible to unzip a file to an arbitrary location - not at all what the user indicates.
Well, since there are about half a billion users of the archiver, this vulnerability threatens everyone. It is worth noting that the problem in question has existed for 19 years, no one has closed the vulnerability during this time.
The specialists who discovered the problem first notified the WinRar developers and they closed the "hole". And only after that, Check Point representatives set out the details on the network, talking about the technical details of the already eliminated vulnerability.

As it turned out, the problem is related to the UNACEV2.DLL library. It is part of the distribution of almost all versions of the archiver for many years. The last time the library was updated in 2005. She is responsible for unpacking archives in ACE format (which, incidentally, are not so common). It is clear that during the time that has passed since the library was updated in the world of information technology, a lot of things happened, and they could find the hidden vulnerability without any special problems.
In order to unzip your file to any place you need to create an ACE archive. Only this way will allow you to bypass the unpacking directory specified by the user. Information security specialists were able to place the malicious software in the Startup directory, from where the malware will be launched every time the system boots.
The problem is not a single one, experts found several vulnerabilities at once (CVE-2018-20250, CVE-2018-20251, CVE-2018-20252 and CVE-2018-20253). But they were eliminated in the WinRAR 5.70 Beta 1 release. It is worth noting that the solution was original. Due to the fact that the source code of the UNACEV2.DLL library was lost many years ago, they decided not to renew it. Nobody did reverse engineering of the library, the developers completely refused support for the ACE format.
The creators of WinRar advised users to install the update as quickly as possible, in addition, information security experts recommend that you do not open ACE archives, at least those received from unfamiliar senders. It may well be that the attackers who found out about the problem will distribute infected archives, which will lead to infection of a large number of user machines.
It is not known now whether this vulnerability was used by attackers earlier or not. But, as mentioned above, half a billion archiver users are at risk.
It is worth noting that zero-day vulnerabilities like this one are readily bought by companies that acquire technology for various states and the military. One organization that officially buys vulnerabilities and exploits is Zerodium. Relatively recently, she raised the reward for running WhatsApp and iMessage hacking tools from several hundred thousand US dollars to $ 1 million.
“Messaging applications, including WhatsApp, sometimes work as a communication channel for attackers, and encryption makes it difficult for special services to obtain the necessary data,” - says Zerodium founder Chauki Beckrar.
Clients of this organization were government departments such as Equation Group (FiveEyes, Tilded Team) and Animal Farm (Snowglobe). It is worth noting that Zerodium and other similar companies are contacted not only by buyers, but also by sellers - including cybersecurity experts who want to sell the discovered vulnerability expensively. Yes, many software and hardware vendors have their own bounty program, but there are two problems. The first - remuneration is far from always paid. The second - the size of the reward of the bounty program and Zerodium can differ significantly, and not in favor of the programs.