19-Year-Old WinRAR Bug That Lets Install Malware in Computers

A 19-year-old security flaw, which lets hackers install malware in systems, has been detected in WinRAR, the popular Windows file archival tool.

WinRAR, which has been popular as a powerful archive manager for over two decades now, is used for backing up data, compressing files and thus reducing the size of email attachments, decompressing files (RAR, ZIP and other formats) downloaded from the Internet and creating new file archives in both RAR and ZIP formats. Researchers have now detected a 19-year-old bug in this popular archive manager.

Security researchers at Check Point, the Tel Aviv-based cybersecurity firm, have discovered in WinRAR a bug that has been undetected for long. They discovered the bug during a fuzz test, an automated software testing technique used to induce software crashes by feeding random data. They found that this vulnerability can be used by hackers to install malware in a system and gain control over it.

A detailed Check Point article, based on research by security researcher Nadav Grossman, discusses various aspects of this bug. The article says, “A few months ago, our team built a multi-processor fuzzing lab and started to fuzz binaries for Windows environments using the WinAFL fuzzer. After the good results we got from our Adobe Research, we decided to expand our fuzzing efforts and started to fuzz WinRAR too…One of the crashes produced by the fuzzer led us to an old, dated dynamic link library (dll) that was compiled back in 2006 without a protection mechanism (like ASLR, DEP, etc.) and is used by WinRAR.”

The article further explains, “We turned our focus and fuzzer to this “low hanging fruit” dll, and looked for a memory corruption bug that would hopefully lead to Remote Code Execution…However, the fuzzer produced a test case with “weird” behavior. After researching this behavior, we found a logical bug: Absolute Path Traversal. From this point on it was simple to leverage this vulnerability to a remote code execution.”

So, as explained, the vulnerability, caused by an old dll (UNACEV2.dll) used to process files compressed in ACE format, has put at risk over 500 million users. Hackers can exploit this bug and put executable files into a system’s start-up folder and consequently, programs would automatically run during every bootup. Another issue is that the severity of this vulnerability gets increased as any malicious ACE archive could be renamed into another RAR compression format without losing the exploit.

However, the creators of WinRAR, on being intimated of this issue, have decided to drop UNACEV2.dll from their package, and also stopped supporting ACE format from the latest version (version number: “5.70 beta 1”).