CheckPoint infosec eggheads are today laying claim to discovering a Windows archiving security flaw that appears to have been lingering since 2005, if not earlier.
The programming cockup can be potentially exploited when a user accidentally opens a malicious archive, perhaps one sent by email or downloaded from a website: unpacking it can lead to malware smuggled within the file executing on the next reboot, as a result of this flaw.
The vulnerability itself lies in unacev2.dll, a library used to parse ACE archives, a little-used compression format that dates back to the 1990s. In practice, the vulnerability would be targeted via WinRAR or other popular archive extraction tools that include and use this wonky .dll. In other words, you get someone to open the archive in WinRAR, which passes it to the library, and then, if the stars align, your victim gets owned.
Specifically, according to CheckPoint, an attacker can craft a poisoned ACE archive, disguised as a RAR file, that, when opened by WinRAR, exploits a path traversal flaw in unacev2.dll to trick the archiving tool into extracting the files into a path of the attacker's choosing.
This alone would be a potentially bad flaw but in some situations, however, the bug could pose a critical risk. The CheckPoint researchers found that while WinRAR by default does not have access to the Windows startup folder, (C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp), a second directory, at (C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup) was accessible. This means that an attacker who knew the user name of the target (such as in a spear-phishing situation) could get the files to extract into the startup directory and, when the PC was restarted, launch them automatically to effectively get remote code execution on the targeted machine.
North Korea's antivirus software whitelisted mystery malwareREAD MORE
Due to the age of the vulnerable component, a fix was not easy to pull off. The last commercial program to offer ACE archiving was released in 2007, and the company making that software went dark in 2017. The vulnerable .dll itself hadn't been updated since 2005.
Because of this, WinRAR says it is just going to drop the entire dated ACE format, killing off the vulnerability.
"Nadav Grossman from Check Point Software Technologies informed us about a security vulnerability in UNACEV2.DLL library. Aforementioned vulnerability makes possible to create files in arbitrary folders inside or outside of destination folder when unpacking ACE archives," WinRAR said.
"WinRAR used this third party library to unpack ACE archives. UNACEV2.DLL had not been updated since 2005 and we do not have access to its source code. So we decided to drop ACE archive format support to protect security of WinRAR users."
The ACE format has been removed in 5.70 beta 1, so all versions of WinRAR after that release will be protected from the bug. ®