Opening the archive is enough: WinRAR to execute malicious code

A security researcher from the Zero Day Initiative (ZDI) working under the pseudonym “goodbyeselene ” recently pointed out a vulnerability in the widely used archiving tool WinRAR that allows attackers to execute malicious commands on a target system.

image: WinRAR

WinRAR: Opening special RAR files is enough

All that is required for exploiting the CVSS 7.8 critical vulnerability is a very simple user interaction: the target just needs to open a specially crafted RAR archive with WinRAR. While archived malware usually only becomes a problem when the user unpacks it, the danger in this case lies in the implementation of the archiving tool itself, which enables the execution of malicious code. Unpacking the contents of the archive file is therefore not required for exploitation.

According to the researcher, the reason for this lies in the processing of so-called recovery volumes by the packing program. An improperly implemented validation of user data means that an attacker can provoke a “memory access beyond the end of an allocated buffer”. As a result, it is possible for it to “execute malicious code in the context of the current process”.

A patch is already available

The WinRAR developer, known as Rarlab, already released a patched version of the archiving tool on August 2 that closes the vulnerability registered as CVE-2023-40477. The ZDI researcher first drew the developer’s attention to the vulnerability on June 8, 2023. Last Thursday he finally shared his findings with the public.

The patch is available from version 6.23 of WinRAR, which can be downloaded as usual from the ComputerBase download area below this message. Users who are still using an older version are recommended to update the archiving tool as soon as possible.

WinRAR: 7-Zip is not affected

Its developer Igor Pavlov has already given the all-clear for users of 7-Zip. 7-Zip is not affected by the problem because the tool uses neither the unrar.dll nor any other part of the original unrar source code. ” The original unrar source code was used for reference only,” Pavlov said.

Since Windows 11 should be able to process RAR files and other archive formats ex works in the future, the use of WinRAR should soon become obsolete for many users anyway.

As Heise Online claims to have found out in the meantime, the security hole apparently does not only relate to WinRAR itself but also to other applications that make use of the unrar. Elland libraries. unrar64.For example, the developer of Total Commander has now released a corresponding patch for its file manager.

In addition, AV-Test’s Andreas Marx pointed out that he had identified ” over 400 programs ” using the libraries provided by Rarlab. Antivirus programs that use these DLLs to search RAR archives are also affected.

On top of that, security researchers from Group-IB recently pointed out yet another vulnerability named CVE-2023-38831, which was also fixed with WinRAR version 6.23. Cybercriminals have been exploiting this since April to spread malware to specialists.

Since there has been a lot of ambiguity over the past few days as to which applications are affected by CVE-2023-40477 and which are not, the developer of WinRAR has now published a statement on the matter himself. Accordingly, the libraries provided by Rarlab are unrar.dllgenerally unrar64. dllnot susceptible to exploitation of the vulnerability. The reason for this is the fact that the DLL files do not even contain the problematic code, as this is prevented by a preprocessor variable called “RARDLL”.

Furthermore, Rarlab points out that it is difficult for attackers to “control the content of data written beyond the buffer edge”, so targeted execution of malicious code appears far from trivial. “Everything we’ve seen so far is a denial of service, which is an application crash that doesn’t lead to code execution, system file overwriting, or other serious security implications”, the developer said.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top