This past week, a vulnerability has been found in the WinRAR archive extraction software that has existed for almost 19 years. It was discovered by researchers at Check Point Software Technologies. The exploit allows for a path traversal which leads to remote code execution anywhere on the system. This issue stems from a third party dll, unacev2.dll, that is used to handle the .ace archive type.
This bug was discovered through fuzzing the WinRaR program and identifying the root cause of a crash. When the group identified the problem, they looked for a memory corruption bug, but instead found a logical bug which let the team navigate to any location on the target machine without even needing to know a user name.
When testing to identify the root cause of the bug, the fuzzer was used and they detected an anomaly where bits of the advertisement string and other pieces of the file’s hex dump were placed in a created directory and file.
They were unable to recreate it exactly due to the file name validation functions of WinRaR when attempting to utilize this similar issue inside of WinRaR. Even though the original case is caught by WinRaR, the unacev2.dll function return is cancelled by WinRar, the folder is still created temporarily due to a late check for the value that calls for cancellation.
This allows for the creation of empty files wherever the creator would like. The team goes a step farther and circumvents the path limitations set by WinRar using the cleanPath function that WinRaR uses to remove extraneous ‘C:/’ from relative paths. By adding another ‘C:/’ the team was able to bypass this and gain Path Traversal because the WinRaR path Check does not look for the ‘C:’. It was supposedly removed by cleanPath. With a Path Traversal Vulnerability found, the team was able to gain access to an SMB attack vector by adding more arbitrary ‘C:/’ to strings to allow connections. Code execution is obtained by extracting a compressed executable file from an ace archive that’s been renamed to a .rar to a startup folder which will run the code on machine boot. The code itself is arbitrary and the consequences of this can be catastrophic.
You can even ignore usernames using the WinRar subkeys by right clicking on the archive in question, and moving it using that tool. This works because of how ‘C:’ is interpreted by windows. It represents the current directory of the running process, so inside of the WinRaR gui, it would be the WinRar folder, but using the menu option, it becomes C:\Users\<user name>\<location of the file>. When this exploit was reported to WinRar, they claimed that it was the third party’s code that allowed the arbitrary folder creation and decided to drop the support for the ACE archive format.