AlphaAtlas
[H]ard|Gawd
- Joined
- Mar 3, 2018
- Messages
- 1,713
Security researchers from Checkpoint have reportedly discovered a bug in WinRAR that just might be older than you. According to their bug report, recent version of WinRAR shipped with an ancient "unacev2.dll" file designed to decompress the equally ancient ACE archive format. A bug in the .dll lets malicious archives extract files to any location on the user's system, including the user's startup folder, which would allow an attacker to remotely execute arbitrary code during the next startup. WinRAR has removed the vulnerable .dll file in the program's latest release, as no one unpacks ACE archives anymore, and it seems that the security researchers may have claimed a substantial bug bounty in the process. Thanks to The Register for spotting the exploit.
A few months ago, our team built a multi-processor fuzzing lab and started to fuzz binaries for Windows environments using the WinAFL fuzzer. After the good results we got from our Adobe Research, we decided to expand our fuzzing efforts and started to fuzz WinRAR too. One of the crashes produced by the fuzzer led us to an old, dated dynamic link library (dll) that was compiled back in 2006 without a protection mechanism (like ASLR, DEP, etc.) and is used by WinRAR. We turned our focus and fuzzer to this "low hanging fruit" dll, and looked for a memory corruption bug that would hopefully lead to Remote Code Execution. However, the fuzzer produced a test case with "weird" behavior. After researching this behavior, we found a logical bug: Absolute Path Traversal. From this point on it was simple to leverage this vulnerability to a remote code execution. Perhaps it's also worth mentioning that a substantial amount of money in various bug bounty programs is offered for these types of vulnerabilities.
A few months ago, our team built a multi-processor fuzzing lab and started to fuzz binaries for Windows environments using the WinAFL fuzzer. After the good results we got from our Adobe Research, we decided to expand our fuzzing efforts and started to fuzz WinRAR too. One of the crashes produced by the fuzzer led us to an old, dated dynamic link library (dll) that was compiled back in 2006 without a protection mechanism (like ASLR, DEP, etc.) and is used by WinRAR. We turned our focus and fuzzer to this "low hanging fruit" dll, and looked for a memory corruption bug that would hopefully lead to Remote Code Execution. However, the fuzzer produced a test case with "weird" behavior. After researching this behavior, we found a logical bug: Absolute Path Traversal. From this point on it was simple to leverage this vulnerability to a remote code execution. Perhaps it's also worth mentioning that a substantial amount of money in various bug bounty programs is offered for these types of vulnerabilities.