A 14 year old undetected bug found in WinRAR
CheckPoint infosec eggheads have claimed to have found out a Windows archiving security flaw that seems to have been present since 2005 or earlier as it cannot be dated accurately.
The programming cockup can be exploited when a user accidentally opens a malicious archive, may be the one sent by email or downloaded from a website. On unpacking, it can lead to malware smuggled within the file executing on the next reboot.
The issue was found to be within a library called unacev2.dll which is used to parse ACE archives. It is a less used compression format that is dated back to the 90s. In practise the vulnerability would be targeted through WinRAR or other archive extraction tools that use this wonky.dll file.
As per CheckPoint , an attacker can create a poisoned ACE archive which may be disguised as a RAR file which when opened by WinRAR exploits a path traversal flaw in unacev2.dll. This would fool the archiving tool and make the extraction into a path which would be of the attackers choice.
In some situations the bug could pose a critical risk and in some cases its just another security flaw. Researchers have found that while WinRAR does not have access to Windows startup folder sometimes a second directory becomes accessible.
A fix was not easy to pull off due to the age of vulnerable component. The last commercial program to offer ACE archiving was released in 2007 and the company making the software went dark in 2017. The vulnerable .dll itself was not updated since 2005. WinRAR says that its just going to drop the entire dated ACE format to cut off the vulnerability.