New WinRAR Trialware Vulnerability Allows MiTM Attacks

  • WinRAR trialware has a new vulnerability marked CVE ID – CVE-2021-35052.
  • The vulnerability is exploitable to launch a MiTM attack and gain remote device access.
  • Users of WinRAR trialware version 5.7 or earlier should exercise caution.

A recent investigation of the WinRAR trial version has revealed a noticeable vulnerability marked as CVE ID – CVE-2021-35052 that potentially enables an attacker to intercept and modify requests intended for the application user. A hacker could use a Remote Code Execution (RCE) on the remote device.

The actual discovery occurred as a matter of chance on WinRAR version 5.70. The app produced a JavaScript error indicating an issue with the WebBrowser JS parser within WinRAR. A little bit of digging allowed the researcher to discover an mshtml.dll file used for implementing Borland C++, WinRAR’s base code language. This file comes up only after the trial period has expired and once every three launches.

source: PT SWARM

To investigate the error further, the researchers linked a Windows proxy setting up a local Burp Suite. The notification request is sent via HTTPS, which relays through the unsecured Burp self-signed certificate. Nevertheless, most users do not actually read the notification and just click ‘Yes.’ This can be a chance to launch a MiTM attack and compromise the user’s device.

Anticipating this possibility, the researchers tried modifying intercepted responses. They altered the app’s native response code to “301 Moved Permanently” and set up a redirect “attacker.com.” This was a better alternative redirect to “notifier.rarlab.com” which led to the RAR website and all redirects after that went to the “attacker.com.”

source: PT SWARM

Next, the researchers tried using several attack vectors to launch a Man-in-the-Middle attack. This usually requires ARP-spoofing and this put the researchers in Zone 1 of the IE security zones. The majority of these attacks vectors succeeded, but a majority also threw up an additional Windows security warning.

The success criterion was that the prompt option “Run” must be selected instead of “Cancel.” The security warning can be bypassed by simply using RAR files in a WinRAR version earlier than version 5.7. App users are recommended to use paid versions or the latest versions when using .rar files.

REVIEW OVERVIEW

Latest

Instagram Reveals New Tools to Keep Teens Safe, Including Parental Controls

Instagram announced its intent to take a 'stricter approach' regarding the content it shows to teen users. As part of Instagram's new tools,...

Microsoft Seizes Chinese-Based Hacker Group’s Websites

Microsoft has taken down several websites used by the China-backed hacker group called Nickel.The seized websites were used to gather information from...

LINE Pay App Leaked the Data of 133,000 Users on GitHub

LINE Pay reported that a research group employee accidentally uploaded 133,000 users' payment information on GitHub. The leaked data was accessed 11 times...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari