Critical 19-year Old Vulnerability Found in WinRAR

Cyber Resilience and Response Subscription Program

WinRAR was found with a critical vulnerability by Check Point Software researchers. They discovered the serious flaw, which has existed for 19-years, just last year. This exploit put over 500 million users at risk.

The popular Windows file tool is used to create and view file archives in RAR or ZIP file formats.

Nadav Grossman, Check Point researcher stated in a blog post:

“We found a logical bug using the WinAFL fuzzer and exploited it in WinRAR to gain full control over a victim’s computer.”

A fuzz test assesses the limits of a software by pouring random data into the program to try to it. During Check Point’s fuzz test, they found that WinRAR contained a path-traversal vulnerability that allowed cybercriminals to execute malicious code on user’s computers remotely. Essentially allowing full access to hackers to users’ systems.

The vulnerability is present in all versions of WinRAR in the UNACEV2.DLL library. This dynamic link library created in 2006 has been unsecured for 19 years. The library’s main function is to unpack files in the ACE format.

Check Point researchers were able to exploit this library to install malware on user’s startup folders. Malicious actors simply had to rename an ACE file with a RAR extension to make WinRAR extract a malicious program on the user’s machine. After the computer was rebooted, the malware would infect and take over the machine.

Although, the vulnerability has not been found to have been exploited by malicious actors, this is a serious problem. The flaw was left open for anyone to exploit since 2005 putting millions at risk. Just last year, bug bounty programs offered up to $100,000 to anyone who found vulnerabilities in file compression tools like WinRAR or 7-Zip.

A patch for WinRar was released last month. Anyone who has an older version of WinRar, should immediately update to the latest version before bad actors exploit the older versions.

If your organization was infected with an malware contact LIFARS today.