A remote code execution vulnerability in the WinRAR utility can be potentially used in phishing attacks to take over a victim’s computer. While the vulnerability potentially affects all versions of WinRAR, an update is unlikely to arrive anytime soon.
Mohammad Reza Espargham, a security researcher from the APA Center of Yazd University in Iran, described the vulnerability on the Seclist full disclosure list: Attackers can use the remote code execution vulnerability in WinRAR SFX v5.21 to deploy “system specific code” on the targeted machine. If a user were tricked into opening a malicious RAR file, that would automatically execute the embedded code and allow an attacker to take control of the machine remotely, monitor user activity, and potentially steal information.
The team behind WinRAR downplayed the severity. "It is useless to search for supposed vulnerabilities in the SFX module or to fix such vulnerabilities, because as any EXE file, SFX archive is potentially dangerous for a user's computer by design,” the WinRAR team said in a statement. It would be as easy for attackers to bundle a malicious executable instead of using the SFX archive.
WinRAR is a popular shareware tool used for unzipping RAR, Zip, and 7z files. The attack uses the option to write HTML code in the text display window when creating a SFX archive, a specific type of RAR file commonly wrapped around software to provide users with additional instructions and to ensure files are installed in the right directory. The display window is in the Text and Icon section, under Advanced SFX Options. The attacker can enter malicious code, which is then executed on the computer when the user opens the SFX archive. The proof-of-concept posted by Espargham requires “trivial” changes to work, but is ultimately sound, said Pieter Arntz, a researcher with Malwarebytes.
“A user could as easily be fooled by a fake WinRAR SFX module. So I don't expect them [WinRAR] to patch this in a hurry,” Arntz added in a comment.
Espargham suggested securely parsing and encoding the values to prevent malicious code from being executed, as well as limiting types of input allowed in the display window. The WinRAR team said that limiting SFX module HTML functionality would only hurt legitimate users who need the HTML features. Attackers wouldn’t be impacted by any change or update to WinRAR since they would be able to use older versions to create the archive. The fact that they can take any executable, prepend it to archive, and distribute it “makes discussing vulnerabilities in SFX archives useless,” the team said.
While it’s true that attackers don’t need to embed attack code into the SFX archive when they can simply compress a malicious executable, the prospect of remote code execution can't be taken lightly. In one potential scenario, attackers could embed a URL and swap in whatever malicious payload is delivered by the link. This way, the same archive can be used repeatedly to deliver a variety of malicious code without having to regenerate the archive.
“We can only remind users once again to run EXE files, either SFX archives or not, only if they are received from a trustworthy source,” the WinRAR team said.