Immediate Threat: WinRAR Path Traversal
Feb 23, 2019 / Cymulate
To keep on giving our users the necessary tools to boost their cybersecurity posture, the Cymulate Research Lab is constantly searching for new global attacks that can compromise organizations. By adding the latest in-the-wild detected threats, we keep our BAS platform up-to-date. A unique (and highly popular) feature in our platform is the Immediate Threat assessment, which allows organizations to test themselves if they are vulnerable against the latest threats, hours after they are discovered in the wild.
The WinRAR Vulnerability
A threat the Cymulate Research Lab has been analyzing is a 19 year old WinRAR vulnerability, which was recently disclosed by checkpoint.
This severe vulnerability can be abused to achieve remote code execution (RCE) by tricking a WinRAR user into opening a malicious archive (.ACE).
This vulnerability resides within the UNACEV2.DLL library that is included with all WinRAR versions. This library is responsible for unpacking archives in the ACE format.
This vulnerability impacts all WinRAR versions released in the last 19 years.
For this new Immediate Threat, Cymulate provides a POC of a malicious ACE archive that when decompressed uses coding flaws in this library to plant malicious files in windows startup folder that will execute after the next reboot.
The .ACE archive extension in this POC is renamed to .RAR to trick users, but WinRAR will still treat it as .ACE archive.
Recommendations to Protect Your Organization
- 1Update WinRar - WinRAR devs released WinRAR 5.70 Beta to address this vulnerability tracked under the CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, and CVE-2018-20253 identifiers.
- 2System administrators should warn employees not to open any ACE archives without having updated WinRAR first.
- 3Home users should take care not to open any ACE archives they receive via email unless they've updated WinRAR first.