WinRAR is a file archiver utility, developed by Eugene Roshal at Rarlab.
The software allows users to create and view archives in RAR or ZIP file formats, and unpack numerous archive file formats. By having the ability for users to test the integrity of archives, and supporting encryption, WinRAR is one of the most popular file achiever of all time.
In February, cybersecurity firm Check Point disclosed the vulnerability that existed in WinRAR for almost two decades.
The potential attack vector was a result of WinRAR's support for the outdated ACE archive format. This potentially allows those with malicious intent to give an ACE file a .rar extension, and then use it as a trap to execute malicious code from a victim's startup folder after a reboot.
The discovery of the bug started months prior.
At that time, the team at Check Point built a multi-processor fuzzing lab and started to fuzz binaries for Windows environments using the WinAFL fuzzer.
After seeing good results, the team decided to expand their fuzzing efforts and started to fuzz WinRAR too.
Here, the team found crashes produced by the fuzzer, leading them in finding an old, dated dynamic link library (.dll) that was compiled without a protection mechanism (like ASLR, DEP, etc.).
"After researching this behavior, we found a logical bug: Absolute Path Traversal. From this point on it was simple to leverage this vulnerability to a remote code execution," explained Nadav Grossman on a Check Point post.
The reason for this is because WinRAR was using a third party tool to unpack ACE archives, and it hadn't been updated for a long time.
"Creating an ACE archive is protected by a patent. The only software that is allowed to create an ACE archive is WinACE. The last version of this program was compiled in November 2007. The company’s website has been down since August 2017. However, extracting an ACE archive is not protected by a patent."
WinRAR is a Windows-only program.
And given by its decades of experience, WinRAR is easily one of the most downloaded pieces of software in history. For frequent Windows users on any part of the globe, they must have heard about this particular file compression utility.
Rarlab has issued a patch, by releasing WinRAR version 5.7 which drops the UNACEV2.dll file from the software. This finally ends its support for the ACE archive format.
However, the company stated that users who are not using the updated version of WinRAR are still at risk.
Hackers have been leveraging the exploit to reach vulnerable systems before users update. WinRAR has an estimated 500 million users, most of which probably don't know about this vulnerability.
According to McAfee, "over 100 unique exploits and counting" have been identified, "with most of the initial targets residing in the United States at the time of writing."
One particular implementation targets Ariana Grande fans looking to bootleg the artist's popular album 'Thank U, Next' by using a file called Ariana_Grande-thank_u,_next(2019)_[320].rar that is packed with malicious code.
Other campaigns have been used to spread malware through the WinRAR exploit as well.