In WinRAR found security-vulnerability
This week, security researcher Mohammad Reza Espargham reported the discovery of a critical Remote Code Execution (RCE) vulnerabilities in the popular archiver WinRAR v 5.21. This program is very popular around the world, it is used more than 500 million People. The vulnerability allows an attacker to create a special self-extracting SFX-archives, which will be executed on the user’s computer foreign code.
From a user perspective, this vulnerability is low as SFX-archives represent an executable file and then to activate the exploit, the user must download and run (!) The file, which in itself is a breach of security, because to run executable files of unknown origin is not recommended (they can be malicious in themselves).
The vulnerability is present in the function archiver Text and Icon section Text to display in SFX window. To do this, SFX-archives should be added specially crafted text in HTML. The vulnerability allows the executable code unpacker download the executable file to the specified location and there to execute it. The vulnerability does not work when the SFX-archives unpacked by the archiver, and not via manual start, without the initial activation executable code.
Description of the vulnerability is quite simple:
- Run perl code: perl poc.pl
- Right Click on any file and select «add to archive…»
- Select «Create SFX archive»
- Go to the Advanced Menu and select «SFX options…»
- Go to the «Text and icon» Menu
- Copy this perl output (HTML) and past on «Text to display in SFX window»
- Click OK — OK
- Your SFX file Created
- Just open sfx file
- Your Link Download/Execute on your target
- Successful reproduce of the code execution vulnerability!
Demonstration of vulnerability
We do not recommend users to run executable files received from untrusted sources. It should be noted that WinRAR, in itself, contains a standard feature that allows you to run an additional executable file when you run the SFX-archive user. In addition, WinRAR SFX-created files are not digitally signed, so that the user has little chance to make sure that the archive file was not compromised by someone (genuine). Attackers can take the original SFX-archives, modify the code unpacker and then distribute it to the suspect and resources as a legitimate torrent. This operation is not the operation of any vulnerabilities, but will lead to similar consequences for the user.