The popular WinRAR compression software can be abused to produce self-extracting archives that execute smuggled-in JavaScript code when decompressed.

A proof-of-concept exploit to pull off the trick has been published, and its creator reckons it works on all versions of WinRAR.

It's not quite the end of the world, though: only HTML and JavaScript hidden within the archive is parsed and executed, rather than arbitrary machine code. And being a self-extracting archive, it's basically a .exe file you're asking people to download and trust to run, anyway.

But it's pretty amusing that this kinda flaw exists.

WinRAR has been a popular shareware unzipping tool for Windows users over the last two decades. It is plugged heavily thanks to many reviews by software download sites like CNET and Softpedia.

Iranian researcher Mohammad Reza Espargham revealed the hole on the Full Disclosure security mailing list.

"The vulnerability allows unauthorised remote attackers to execute system specific code to compromise a target system," Espargham told Full Disclosure.

"The issue is located in the text and icon function of the 'text to display in [the self-extracting archive's]' window module. Remote attackers are able to generate [their] own compressed archives with malicious payloads to execute system specific codes for compromise."

Youtube video

The HTML and JavaScript injected into WinRAR self-extracting archives will execute when the file is decompressed; these scripts can pull in malicious executables from the internet and run them, or cause other mischief – perhaps even exploit a vulnerability in whatever JavaScript engine is being used.

The proof-of-concept code downloads and runs the SSH tool Putty.exe, by way of example.

If you can find suckers who will trust a .exe labelled as self-extracting archive over any other program they download from the web, then you can trick them into running your smuggled JavaScript.

MalwareBytes researcher Pieter Arntz says the proof-of-concept code needed subtle tweaking for it to work properly.

"The proof-of-concept requires some trivial changes before I got it to work," Arntz said, but that might have been down to a Perl version conflict. ®

Editor's note: This story has been updated to clarify what's possible when exploiting the flaw.