this post was submitted on 19 Aug 2023
28 points (96.7% liked)

News

1751 readers
1 users here now

Breaking news and current events worldwide.

founded 1 year ago
28
WinRAR flaw lets hackers run programs when you open RAR archives (www.bleepingcomputer.com)
submitted 1 year ago by [email protected] to c/[email protected]
10 comments fedilink hide all child comments
 

A high-severity vulnerability has been fixed in WinRAR, the popular file archiver utility for Windows used by millions, that can execute commands on a computer simply by opening an archive.

you are viewing a single comment's thread
view the rest of the comments
[–] TheLameSauce 4 points 1 year ago (2 children)

Forgive my ignorance, but hasn't this vulnerability existed pretty much as long as archive filetypes have? For as long as I can remember it's been standard practice to distrust any archive file I didn't create myself or get direct from a trusted source, I thought for this very reason.

Or is the actual headline that this vulnerability is finally addressed in WinRAR?

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (1 children)

The flaw is tracked as CVE-2023-40477 and could give remote attackers arbitrary code execution on the target system after a specially crafted RAR file is opened.

And from the linked advisory:

The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

What's going on is the specially crafted RAR, when opened, creates an unchecked buffer overflow. This dumps a shell to the process, and a payload can be executed in that shell, hiding from the user behind that process. This is different than the normal behavior you describe, where extracting a RAR can autolaunch executable code contained in the RAR in its own separate process, visible to the user (in task manager, for example), and running in the user context.

In Windows, if you have run WinRAR with admin rights, and confirmed with the User Access Control (UAC) dialog, the attacker code would also run with admin rights, without any additional UAC warning. In the "normal" behavior, you would get a second UAC warning when the autorun executable tried to run.

Pretty much whenever you see the phrase "arbitrary code execution," this is the kind of thing that's happening. Some of those are more serious than others, depending on the flaw. Certain kinds of flaws can return a shell in the SYSTEM context, which has even more permissions than admin.

[–] [email protected] 1 points 1 year ago (1 children)

How does an unchecked buffer overrun result in dropping to a shell inside the containing process though?

[–] [email protected] 1 points 1 year ago

I'm not super clear on that, and I'm eager to have someone inform/correct me, but here's my understanding:

It's like a crash. The running program tells the system to address memory that is not available to be addressed, and the system goes "Uh, what?" and drops into a state where it has stopped following the code from the initial thread (which I am sure is not the right terminology) and waits blankly for new code to be received.

Then the still running-but-"hung" process delivers that "arbitrary code," and the system dutifully executes it.

[–] [email protected] 2 points 1 year ago

I think you're talking about the tar bomb or zip bomb. This new one is far worse.