WinRAR Cracked - 14 year old Remote Code Execution flaw found

[rcmaehl]

Source:

Checkpoint

Ars Technica

 

Summary:

No, not a key crack, not like you to need one anyway, a RCE has been found within WINRAR that was unintentionally created over 14 years ago

 

Quotes/Excerpts:

Quote

WinRAR, a...program with 500 million users..., recently fixed a more than 14-year-old vulnerability that made it possible for attackers to execute malicious code when targets opened a booby-trapped file. The vulnerability was the result of...a third-party code library that hasn’t been updated since 2005. It possible for archive files to extract to a folder of the archive creator’s choosing rather than the folder chosen by the person using the program. Because the third-party library doesn’t make use of exploit mitigations such as address space layout randomization, there was little preventing exploits. The researchers wrote a proof-of-concept exploit that misrepresented the startup folder—“C:\C:C:..\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\some_file.exe” instead of “C:..\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\some_file.exe”—after discovering that a filter function in UNACEV2 library would convert it to the latter location. With that, they created an exploit that dropped code of their choice into the Windows startup, where it would be executed the next time Windows rebooted. In release notes published late last month, WinRAR officials said they patched the vulnerability

 

My thoughts:

As you start including other people's code, dlls, or executables in your program, it's generally a good idea to ensure you keep it up to date and consider replacing or removing it entirely after a period of time. I'm honestly not surprised quite a few programs lately have been found to have decades old security bugs due to other people's code or their implementation of it.

 

Obviously this could have all been avoided if you had just bought a license all those years ago! /s

[TrigrH]

I should probs update winrar then aye, guess ill have to crack it again /s

[pas008]

11 minutes ago, rcmaehl said:

Source:

Checkpoint

Ars Technica

 

Summary:

No, not a key crack, not like you to need one anyway, a RCE has been found within WINRAR that was unintentionally created over 14 years ago

 

Quotes/Excerpts:

 

My thoughts:

As you start including other people's code, dlls, or executables in your program, it's generally a good idea to ensure you keep it up to date and consider replacing or removing it entirely after a period of time. I'm honestly not surprised quite a few programs lately have been found to have decades old security bugs due to other people's code or their implementation of it.

 

Obviously this could have all been avoided if you had just bought a license all those years ago! /s

14 yrs is 2 lifetimes on tech so bound to happen

[Hellion]

What release version has the patch applied? The winrar website does not mention anything regarding this in any of the release notes and it appears 5.70 which has been out since the end of January is still the latest available.

[rcmaehl]

57 minutes ago, Hellion said:

What release version has the patch applied? The winrar website does not mention anything regarding this in any of the release notes and it appears 5.70 which has been out since the end of January is still the latest available.

5.70 beta 1

 

“Nadav Grossman from Check Point Software Technologies informed us about a security vulnerability in UNACEV2.DLL library.
Aforementioned vulnerability makes possible to create files in arbitrary folders inside or outside of destination folder 
when unpacking ACE archives. 

https://www.win-rar.com/whatsnew.html?&L=0

[Eaglerino]

why do people use winrar over 7zip

[williamcll]

But you could be using 7zip instead.

[sof006]

5 hours ago, Eaglerino said:

why do people use winrar over 7zip

Force of habit. I tend to install Winrar because it's the first one I used and first one I think of so it's my default. Just like Chrome is my default browser of choice despite Firefox or Opera being a thing.

[RyomaSJibenG]

6 hours ago, Eaglerino said:

why do people use winrar over 7zip

because bookstrap looks much fancier than discount 7-eleven logo

[CiBi]

6 hours ago, Eaglerino said:

why do people use winrar over 7zip

Nostalgia

[TetraSky]

Whenever I see someone uploading something in a .rar, I can't help but think "why the fuck are you using this shit?" when there are just as good, if not better, completely free alternatives, like 7zip...

[JoeCoke]

7Zip saves lives.

[Ithanul]

1 hour ago, TetraSky said:

Whenever I see someone uploading something in a .rar, I can't help but think "why the fuck are you using this shit?" when there are just as good, if not better, completely free alternatives, like 7zip...

No kidding, or that usually now an individual can just use the built in tools in an OS.  I had no need of either WinRAR or 7Zip in years now.

[porina]

3 minutes ago, Ithanul said:

No kidding, or that usually now an individual can just use the built in tools in an OS.  I had no need of either WinRAR or 7Zip in years now.

Not that I used it recently, but the Windows built in support only seems to work on zip, whereas 7z works on pretty much any popular compression format over the years. Also 7zip's native format can give significantly better compression than zip.

[Ithanul]

6 minutes ago, porina said:

Not that I used it recently, but the Windows built in support only seems to work on zip, whereas 7z works on pretty much any popular compression format over the years. Also 7zip's native format can give significantly better compression than zip.

I'm aware it only does zip.  Thankfully, .rar and 7z are two formats I rarely see in compression files I get now a days.  I tend to stick to .zip since the majority of big main OSes can natively unzip that.  Keeps me from having to install some unneccesary third party software on a relative's machine or end user's device.

[paddy-stone]

I tend to only use winrar on those uncommon zip files that error out when using anything other than winrar.

Just an FYI for anyone that didn't know, but 7zip can create .rar files too, if you happen to prefer them for some reason. -

[edit] ^Ignore, I must have remembered wrongly yet again, lol

[RejZoR]

Why people use anything else than 7zip? LZMA2 is the most advanced compression algorithm at the moment. It's second best right after ZPAQ, but with realistically usable speeds. ZPAQ saves few extra megabytes, but takes like 10x longer even on 12 thread "powerhouse". Imagine some poor soul using it on quad core... Not to mention 7z (LZMA2) is extractable by everyone and it's free for any kind of use legally. Giving it an edge over everything else.

 

RAR used to be the shit before LZMA though. But despite RAR5 update, it just doesn't have traction.

[germgoatz]

7Zip is my daddy

[porina]

38 minutes ago, Ithanul said:

I'm aware it only does zip.  Thankfully, .rar and 7z are two formats I rarely see in compression files I get now a days.  I tend to stick to .zip since the majority of big main OSes can natively unzip that.  Keeps me from having to install some unneccesary third party software on a relative's machine or end user's device.

For sure, if compatibility is important (e.g. sending to other people I don't know well) then zip remains the safe choice.

 

Thinking about it more, I don't feel that the primary reason for a zip is necessarily compression any more. Often I see it as a way to group multiple files together for distribution. About the only time it provides a significant saving in file size is the transfer of extremely large text log files in my line of work, and they compress really well.

[Jito463]

14 hours ago, Eaglerino said:

why do people use winrar over 7zip

Personally, I prefer the interface (that includes the context menu interface).  Plus, I bought a license so I may as well use it.

3 hours ago, paddy-stone said:

Just an FYI for anyone that didn't know, but 7zip can create .rar files too, if you happen to prefer them for some reason.

True, though not RAR5 files, if I'm not mistaken.

[Guest]

7 hours ago, Ithanul said:

No kidding, or that usually now an individual can just use the built in tools in an OS.  I had no need of either WinRAR or 7Zip in years now.

This should apply only on Linux desktop environments, I don't remember windows supporting 7-zip natively

[paddy-stone]

4 hours ago, Jito463 said:

Personally, I prefer the interface (that includes the context menu interface).  Plus, I bought a license so I may as well use it.

True, though not RAR5 files, if I'm not mistaken.

Probably, don't know who would use those personally.. was just saying that in some cases people might not be aware of the ability to create certain filetypes, thinking only winrar could create .rar files maybe???

The ONLY time I use it is as I said when 7zip,peazip or other can't unpack the files and throws out an error.

[WereCatf]

I, for one, use WinRAR because I'm used to it, and it can access the contents of quite a handful of various kinds of compressed executables as well. Also, I haven't had any reason not to use WinRAR (and I still don't)

[Syntaxvgm]

7 hours ago, paddy-stone said:

I tend to only use winrar on those uncommon zip files that error out when using anything other than winrar.

Just an FYI for anyone that didn't know, but 7zip can create .rar files too, if you happen to prefer them for some reason.

It doesn't handle encrypted rars well for me, or allow me to make them. That's the only reason I use winrar, in fact I find 7zip can often handle broken/partial files, even encrypted ones on the extraction side, much better. I'm not aware of it being able to create rars though, last time I checked it didn't because the license doesn't allow that? 

[paddy-stone]

4 minutes ago, Syntaxvgm said:

It doesn't handle encrypted rars well for me, or allow me to make them. That's the only reason I use winrar, in fact I find 7zip can often handle broken/partial files, even encrypted ones on the extraction side, much better. I'm not aware of it being able to create rars though, last time I checked it didn't because the license doesn't allow that? 

Wow, just wow... my mind must be playing tricks on me again.. I could've sworn that I used to be able to create .rar files on that program.. apologies folks, my shit memory strikes again!