Critical flaw puts 500 million WinRAR users at risk of being pwned by unzipping a file

A critical remote code execution flaw in WinRAR could put 500 million users at risk of having their computers compromised if they simply open an infected zipped file, but the company behind WinRAR basically blew off the vulnerability.

alert detection prevent hacker hacking2
Credit: Thinkstock

500 million, yes half a billion, WinRAR users are at risk of being pwned thanks to a critical flaw that could allow hackers to take control of victims’ computers. Vulnerability Lab, via the Full Disclosure mailing list, put the world on notice about a remote code execution vulnerability in the latest version of WinRAR, WinRAR 5.21. If the critical bug in WinRAR is exploited by an attacker, then a victim’s system could be compromised by simply opening the file.

Whether it’s movies, music, applications, photos, pictures, gaming mods, or something else, if it’s a digital file then you can likely zip or unzip it. You may have used the popular WinRAR tool to pack or unpack a RAR, ZIP, 7Z, TAR, EXE, ISO, CAB or another supported archive. Let’s say, for example, that you have a torrent file. In this case, if you used the latest version of WinRAR to decompress an archive that contained malicious code, it would execute immediately upon unzipping the infected file. This could lead to not only your computer being compromised, but potentially also your network.

If you don’t know, then a remote code execution vulnerability is especially nasty. Bugs with a common vulnerability scoring system (CVSS) count of 7 – 10 are considered “high” severity. The critical flaw in WinRAR was given a 9.2 severity score by the security researcher who discovered it as a user only has to open an infected file for the device to be compromised by an attacker. It also doesn’t take “l33t” hacking skills to use the exploit; with the how-to basically out there now, making this a publicly disclosed zero-day in the wild, expect attackers to exploit this RCE vulnerability.

Irian security researcher Mohammad Reza Espargham, who posted the proof-of-concept (PoC) and the manual steps needed to reproduce the pwnage, explained, “The code execution vulnerability can be exploited by remote attackers without privilege system user account or user interaction.” 

Espargham posted a video, which ironically contains "fo0l" in the URL, showing how the PoC works.

There may be some debate, at least by one hacker, about who actually discovered the flaw as R-73eN claims to have published the same exploit using Python before it was rewritten in Perl and published a day later. R-73eN said of his discovery, “A window with expired notification title loads, reminding user to buy WinRAR to remove ads. Since this uses an HTTP connection, we can use [a] man-in-the-middle attack to gain remote code execution.”

Espargham's PoC may not work right out of the box, but it does work after being tweaked a bit. It worked for Malwarebytes researcher Pieter Arntz after he made “trivial changes.”

Arntz explained:

Basically, the attack uses the option to write HTML code in the text display window when creating a SFX archive, as you can see below:

WinRAR zero-day exploit

The attacker can use this to execute malicious code on the computer of the person(s) that open the SFX archive.

Executing WinRAR RCE vulnerability Malwarebytes

While it would seem like a patch would quickly be forthcoming before attackers use the critical flaw for their malicious payloads, there may not be a patch coming at all. Although Espargham believes all versions of WinRAR could be vulnerable to the exploit, “useless” pretty much sums up what RARLab, the maker of WinRAR, thinks about the PoC.

A “malicious hacker can take any executable, prepend it to archive and distribute to users. This fact alone makes discussing vulnerabilities in SFX archives useless,” RARLab wrote. “It is useless to search for supposed vulnerabilities in SFX module or to fix such vulnerabilities, because as any exe file, SFX archive is potentially dangerous for user's computer by design. As for any exe file, users must run SFX archives only if they are sure that such archive is received from a trustworthy source. SFX archive can silently run any exe file contained in archive and this is the official feature needed for software installers.”

In fact, RARLab suggested there are less complicated ways of silently pwning a RAR user than using the PoC.

Part of RARLab's official comment on WinRAR zero-day POC RARLab

But Malwarebytes did not blow off the vulnerability; instead the security firm advised WinRAR users “to be extra vigilant when handling uninvited compressed SFX files. Be advised to download the new version as soon as a patch has been made available.”

Yet RARLab’s official comment doesn’t sound like it intends to fix the issue:

Limiting SFX module HTML functionality would hurt only those legitimate users, who need all HTML features, making absolutely no problem for a malicious person, who can use previous version SFX modules, custom modules built from UnRAR source code, their own code or archived executables for their purpose. We can only remind users once again to run exe files, either SFX archives or not, only if they are received from a trustworthy source.

Update: "As it turns out this vulnerability is more an attack vector that only works with the users’ cooperation. The vulnerability was fixed by Microsoft in November of 2014," Malwarebytes wrote in an email to Computerworld. The company posted a redaction which states, "We want to offer our most sincere apologies to WinRAR for any harm done by our reporting on a post first seen through the Full-Disclosure mailing list, we simply echoed the original reporting."

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Fix Windows 10 problems with these free Microsoft tools
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.