Article 49GQF Nasty code-execution bug in WinRAR threatened millions of users for 14 years

Nasty code-execution bug in WinRAR threatened millions of users for 14 years

by
Dan Goodin
from Ars Technica - All content on (#49GQF)
GettyImages-180832603-800x442.jpg

Enlarge / Evert (credit: iStock / Getty Images)

WinRAR, a Windows file compression program with 500 million users worldwide, recently fixed a more than 14-year-old vulnerability that made it possible for attackers to execute malicious code when targets opened a booby-trapped file.

The vulnerability was the result of an absolute path traversal flaw that resided in UNACEV2.DLL, a third-party code library that hasn't been updated since 2005. The traversal made it possible for archive files to extract to a folder of the archive creator's choosing, rather than the folder chosen by the person using the program. Because the third-party library doesn't make use of exploit mitigations such as address space layout randomization, there was little preventing exploits.

Researchers from Check Point Software, the security firm that discovered the vulnerability, initially had trouble figuring out how to exploit the vulnerability in a way that executed code of their choosing. The most obvious path-to have an executable file extracted to the Windows startup folder where it would run on the next reboot-required WinRAR to run with higher privileges or integrity levels than it gets by default.

Read 4 remaining paragraphs | Comments

index?i=V7HhNTIbmP0:yYyZX48tXgE:V_sGLiPB index?i=V7HhNTIbmP0:yYyZX48tXgE:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments