Security Affairs
EU Targets FSB-Linked Hackers in New Sanctions Over Cyber Sabotage|Dutch Nationals Suspected in Odido Hack That Exposed Six Million Customers|Australia Alerts Organizations to Ongoing CMS Exploitation Attacks|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|Security Affairs newsletter Round 585 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|EU Targets FSB-Linked Hackers in New Sanctions Over Cyber Sabotage|Dutch Nationals Suspected in Odido Hack That Exposed Six Million Customers|Australia Alerts Organizations to Ongoing CMS Exploitation Attacks|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|Security Affairs newsletter Round 585 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Critical bug in WINRAR affects all versions released in the last 19 years

Security experts at Check Point have disclosed technical details of a critical vulnerability in the popular file compression software WinRAR. Experts at Check Point discovered the logical bug in WinRAR by using the WinAFL fuzzer and found a way to exploit it to gain full control over a target computer Over 500 million users worldwide use the […]

winrar

Security experts at Check Point have disclosed technical details of a critical vulnerability in the popular file compression software WinRAR.

Experts at Check Point discovered the logical bug in WinRAR by using the WinAFL fuzzer and found a way to exploit it to gain full control over a target computer

Over 500 million users worldwide use the popular software and are potentially affected by the flaw that affects all versions of released in the last 19 years.

The flaw is an “Absolute Path Traversal” issue in the library that could be exploited to execute arbitrary code by using a specially-crafted file archive.

winrar

The issue affects a third-party library, called UNACEV2.DLL that is used by WINRAR.

The flaw resides in the way an old third-party library, called UNACEV2.DLL, handles the extraction of files compressed in ACE data format. The experts pointed out that WinRAR determines the file format by analyzing its content and not the extension, this means that an attacker can change the .ace extension to .rar extension to trick the victims.

The experts discovered that an attacker leveraging the path traversal vulnerability could extract compressed files to a folder of their choice rather than the folder chosen by the user. Dropping a malicious code into Windows Startup folder it would automatically run on the next reboot.

We have found a vector which allows us to extract a file to the Startup folder without caring about the <user name>.

By using the following filename field in the ACE archive:

C:\C:C:../AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\some_file.exe

It is translated to the following path by the CleanPath function:

C:../AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\some_file.exe

Because the CleanPath function removes the “C:\C:” sequence.reads the analysis published by CheckPoint.

“Moreover, this destination folder will be ignored because the GetDevicePathLen function will return 2 for the last “C:” sequence.”

The following video PoC shows how to gain full control over a targeted system by tricking the victims into opening maliciously crafted compressed archive file using WinRAR.

The worst aspect of the story is that WinRAR development team had lost the source code of the UNACEV2.dll library in 2005. The way to approach the problem is drastic, the team stop using the UNACEV2.dll and released WINRar version 5.70 beta 1 that doesn’t support the ACE format.

Don’t waste your time, install this new version of the software and do not open compressed archives with WINRAR that were received from unknown sources.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]