A Two-Decade Old Code Execution Vulnerability on WinRAR Has Just Been Discovered

• Users of WinRAR opening an ACE archive may end up having extractions of malicious files in various locations.
• The old bug was discovered by Checkpoint while exploring fuzzing in various archiving tools.
• The vulnerability has the potential to affect about 500 million users of the WinRAR archiver.

Checkpoint researchers discovered a 19-year old vulnerability that allows a malicious attacker to create an “ACE” archive that is disguised as a RAR file, and once the user opens it to exploit a security flaw in the obsolete “unacev2.dll” and extract files wherever the attacker wants, like the startup folder for example. The archive can be created in such a way, that an innocent file is created in the destination selected by the user, so if malware is placed elsewhere, it will be highly unlikely that the average Joe will even realize it.

ACE is not a popular data compression file format and is currently considered deprecated. When released, it boasted slightly better compression rates than RAR, so utilities like WinRAR had a reason to support it. As the popularity of ACE dropped to almost zero after the early 2000s, WinRAR developers probably thought that their ACE parsing library “unacev2.dll” doesn’t need an update for any reason. With virtually no one using ACE archives, the security flaw remained covered until now, and WinRAR decided that dropping support for the ACE format entirely would be the best way to address the issue.

source: research.checkpoint.com

As WinRAR mentions in the 5.70 beta 1 release notes, they do not have access to the source code of the problematic library as it’s a third party, so striping it out of WinRAR is the only way to go now. That said, users are advised to update from 5.61 to 5.70 beta 1, as the ACE file can be masqueraded to pose as an archive of a different format. WinRAR doesn’t care about filetypes, so when the ACE archive is opened, the software will still use unacev2.dll to extract it. That said, if you’re using version 5.61 or earlier to extract a file of whatever type it may seem to be, you are in risk of letting an attacker arbitrarily extract something outside the designated destination folder.

Are you using WinRAR or any other ACE archive extracting tool that may employ the unacev2.dll library? Share your thoughts in the comments section below, and don’t hesitate to do the same on our socials, on Facebook and Twitter.