Available for Windows users WinRAR is an unzipping tool able to decompress .ZIP, .RAR and .7Z files, among others. Mohammad Reza Espargham, an Iranian researcher from Vulnerability Lab discovered the bug and reported the vulnerability to Full Disclosure, a popular forum for disclosure of security information. The bug only affects the latest version, 5.21, according to the vulnerability disclosure details, and can be used by any attacker clever enough to put the malicious HTML code inside the “Text to display in SFX window” section when creating a new SFX file.
“The vulnerability allows unauthorised remote attackers to execute system specific code to compromise a target system,” he said. The vulnerability is said to affect all versions of WinRAR SFX, which is likely to pose a serious threat to thousands of its users. The existence of the serious vulnerability in the said application has also been independently confirmed by Security firm MalwareBytes. SFX archives are a specific kind of RAR file that’s very often wrapped around pirated software to help install files in the right directory or provide instructions to users as they unzip the files. The vulnerability, if exploited, allows a remote attacker to execute malicious code when a victim tries to unzip an SFX archive file, a type of RAR file that is often used to safeguard executable files. “Basically, the attack uses the option to write HTML code in the text display window when creating a SFX archive,” writes MalwareBytes. “The attackers saved in the SFX archive input the malicious generated html code. This results in a system specific code execution when a target user or system is processing to open the compressed archive,” said Espargham. He said that the threat posed by this flaw was “critical” and attributed it a cvss (common vulnerability scoring system) count of 9.2. The expert said that there is a solution to the defect, which can be resolved through a “secure parse and encode of the url value parameter in the outgoing module GET method request”. Further, Mr Espargham stated, it is necessary that you restrict the input and avoid using special characters. Filtering the input to block “further client-side cross site scripting attacks”, is also suggested. The vulnerability that has been flagged as critical becomes more alarming due to the fact that it requires very low user interaction. If the affected file is open, the malware could compromise the device or network. However, the team behind WinRAR downplayed the severity. “It is useless to search for supposed vulnerabilities in the SFX module or to fix such vulnerabilities, because as any EXE file, SFX archive is potentially dangerous for a user’s computer by design,” the WinRAR team said in a statement. Instead of using the SFX archive, it would be as easy for attackers to bundle a malicious executable. “We can say that limiting SFX module HTML functionality would hurt only those legitimate users, who need all HTML features, making absolutely no problem for a malicious person, who can use previous version SFX modules, custom modules built from UnRAR source code, their own code or archived executables for their purpose. We can only remind users once again to run .exe files, either SFX archives or not, only if they are received from a trustworthy source,” WinRAR further added.