Internet Security Blog - Hackology
WinRAR Vulnerability

[PoC] WinRAR Vulnerability Actively Exploited by Hackers

Do you use WinRAR on your windows? Have you updated it to the latest version? You are advised to update WinRAR to latest version 5.70 beta 1, as the WinRAR development team has patched the wildly used vulnerability.

A critical remote code execution vulnerability recently addressed by WinRAR is actively exploited by several threatening players.

The use of the wild flaw is worrying because WinRAR has no auto-update features, which leaves millions of users at risk of cyber assault. More than 500 million users worldwide use WinRAR and the bug that has affected all releases over the last 19 years is potentially impacting.

WinRAR Vulnerability Explained

The CVE-2018-20250 vulnerability could enable the attacker to gain control of the target System by experts at Check Point during February.

Archive file could be used to execute arbitrary code to exploit the “Absolute Path Traversal” flaw in the library.

The vulnerability lies in a third-party library called “UNACEV2.DLL”, used by Winrar, which is a way of handling the extraction of files compressed in ACE-data format. Experts indicated that, by analyzing the content of the WinRAR file format, the attacker could change the .ace extension to the .rar extension to trick people.

The researchers found that a path traversal flaw could extract compressed files into a folder of attacker choice instead of the user’s selected folder. If a malicious code were to be dropped into the Windows Startup folder, the next reboot would start it automatically.

The RAR file extracts original MP3 files into the download folder of the victim together with a malicious executable file in the startup folder that allows the targeted system to be exploited.

When a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious payload is created in the Startup folder behind the scenes. User Access Control (UAC) is bypassed, so no alert is displayed to the user. The next time the system restarts, the malware is run.

WinRAR Exploit PoC

How the victim is triggered into opening compressed archive file using WinRAR to gain complete control over a targeted system shown in the video below.

Wildly used Exploit Using WinRAR Vulnerability

Just days after the flaw was disclosed, researchers at the 360 Threat Intelligence Centre found a malicious RAR archive campaign that could exploit malware installed on a computer.

Now, McAfee security experts reported that the WinRAR bug is still exploited by attackers and that in the first week of the vulnerability, they identified more than “100 unique exploits and counts.”

Advisory published by McAfee reads,

In the first week since the vulnerability was disclosed, McAfee has identified over 100 unique exploits and counting, with most of the initial targets residing in the United States at the time of writing.

In a case where an attacker was trying to propagate the malware through the bootlegged copy of the hit – album “Thank U, Next” from Ariana Grande, the experts say the majority of initial targets were in the United States with the naming of an “Ariana Grande – thank u, next(2019) [320].rar” file.

WinRAR Flaw Ariana Grande
Ariana Grande was the first known WinRar file found in wild exploiting the vulnerability.

A limited number of antivirus solutions are currently identifying the file associated with the fake Ariana Grande hit album.

It is recommended that only the latest version of WinRAR should be used and files from untrusted sources should not be opened.

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get Wise

Subscribe to my newsletter to get latest InfoSec / Hacking News (1 Email/week)
Utopia p2p Ecosystem

Discover more from Internet Security Blog - Hackology

Subscribe now to keep reading and get access to the full archive.

Continue reading