So Twitter exploded earlier with calls of a remote code execution WinRAR vulnerability leaving half a BILLION users open for some hardcore exploitation.

I got interested (obviously..as that’s what I do here) and went to read about it, I have to call pretty sketchy, non-technical reporting from the The Register for once, it seems like it was written by an intern.

To summarise the news…shocker, executing an executable leads to code execution – yah really, no shit?

The fact that it allows you to download a file from the SFX (Self Extracting RAR files basically) panel and execute that, that’s a little shady, but you’ve already executed the .exe self unpacking file..so if it’s from a dubious source, you kinda deserve whatever happens from there on in.

Half a billion users are at risk from a public zero day remote code execution exploit affecting all versions of the popular WinRAR compression software. A proof-of-concept exploit has been published. Its creator reckons it works on all versions of WinRAR, making it very likely that it will be used by criminals in phishing attacks. WinRAR has been a popular shareware unzipping tool for Windows users over the last two decades. It is plugged heavily thanks to many reviews by software download sites like CNET and Softpedia. Iranian researcher Mohammad Reza Espargham reported the hole to the Full Disclosure security mailing list. “The vulnerability allows unauthorised remote attackers to execute system specific code to compromise a target system,” Espargham says. “The issue is located in the text and icon function of the ‘text to display in SFX’ window module.” “Remote attackers are able to generate [their] own compressed archives with malicious payloads to execute system specific codes for compromise.”

Now if this trick worked when opening a .rar file with WinRAR, I’d say that could be a serious problem. But only for SFX (self extracting executable archive) files – not an issue really.

You can watch the PoC of the ‘exploit’ here.

I’m honestly surprised all the major sites are reporting on this like it’s a big thing. Did anyone stop and actually read what’s happening here?

Espargham puts the severity score at 9.2 since it requires a low competency to exploit and requires that users only open the file. Torrent files for games and applications would be a nice attack vector given attacks could be made stealthy. The vulnerability has not yet received a CVE number by which major bugs are tracked and scored. Users could be owned if the decompress malicious SFX files. Attackers can write HTML code to WinRAR’s window that will run on a target machine when the archive is opened. MalwareBytes researcher Pieter Arntz says the proof of concept needs subtle tweaking out of the tin for it to work properly. “The proof-of-concept requires some trivial changes before I got it to work,” Arntz says, but that might have been down to a Perl version conflict.

And honestly, why is anyone still using WinRAR since 7zip came out? There’s no excuse at all.

I’m not really surprised this has no CVE, and honestly don’t really expect it to get one. Might WinRAR fix this hole? Probably not, as it’s how SFX works. Why go to such trouble when you could bind malware directly to the SFX archive and have that execute.

Is it serious?

NO.

Source: The Register