Researchers Find a 19 Year Old Bug In WinRAR

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
Security researchers from Checkpoint have reportedly discovered a bug in WinRAR that just might be older than you. According to their bug report, recent version of WinRAR shipped with an ancient "unacev2.dll" file designed to decompress the equally ancient ACE archive format. A bug in the .dll lets malicious archives extract files to any location on the user's system, including the user's startup folder, which would allow an attacker to remotely execute arbitrary code during the next startup. WinRAR has removed the vulnerable .dll file in the program's latest release, as no one unpacks ACE archives anymore, and it seems that the security researchers may have claimed a substantial bug bounty in the process. Thanks to The Register for spotting the exploit.

A few months ago, our team built a multi-processor fuzzing lab and started to fuzz binaries for Windows environments using the WinAFL fuzzer. After the good results we got from our Adobe Research, we decided to expand our fuzzing efforts and started to fuzz WinRAR too. One of the crashes produced by the fuzzer led us to an old, dated dynamic link library (dll) that was compiled back in 2006 without a protection mechanism (like ASLR, DEP, etc.) and is used by WinRAR. We turned our focus and fuzzer to this "low hanging fruit" dll, and looked for a memory corruption bug that would hopefully lead to Remote Code Execution. However, the fuzzer produced a test case with "weird" behavior. After researching this behavior, we found a logical bug: Absolute Path Traversal. From this point on it was simple to leverage this vulnerability to a remote code execution. Perhaps it's also worth mentioning that a substantial amount of money in various bug bounty programs is offered for these types of vulnerabilities.
 
an old, dated dynamic link library (dll) that was compiled back in 2006 without a protection mechanism (like ASLR, DEP, etc.)
Except, compiling the DLL with ASLR or DEP would have absolutely no effect in this bug. There is no reason for the researchers to even mention ASLR or DEP, except to play Buzzword Bingo. Fortunately, the .ace archive format was never widely adopted (if it was ever adopted at all). According to the Wayback Machine, as of 2014 the newest version of WinAce available on the WinAce website is dated 2007 and it appears that the WinAce website has been completely down since 2017. I have a feeling WinRar added .ace support many years ago strictly as a marketing gimmick, "We can extract any archive format in existence".

But it is an interesting article, reading about how they figured out the bug.
 
I actually still have one .ace file, made in 2002. I packed up my old game Elasto Mania. I remember getting it in the mail on floppy disk, lol. I think I'll keep it as is, even though I may never be able to extract it. The contents are extracted anyway, and the game still runs (even though it borks my screen resolution.)
 
1276107920_by_Darmon_600.jpg


Can someone translate this =) This is the guy who wrote Winrar
 
Well... This was fixed in 5.70 beta 1 now we are on 5.70 beta 2

rarlab.com said:
Nadav Grossman from Check Point Software Technologies informed us
about a security vulnerability in UNACEV2.DLL library.
Aforementioned vulnerability makes possible to create files
in arbitrary folders inside or outside of destination folder
when unpacking ACE archives.

WinRAR used this third party library to unpack ACE archives.
UNACEV2.DLL had not been updated since 2005 and we do not have access
to its source code. So we decided to drop ACE archive format support
to protect security of WinRAR users.

We are thankful to Check Point Software Technologies for reporting
this issue.
 
I did (in 2007). Perpetual license. Gotta support the developers.

I've bought a few licenses for clients over the years. I had a license myself at some point as well. I switched to 7 zip a while ago though and have been happy.
 
Pretty soon, we'll see zip applications with ads, and "features" such as CPU thread unlock for a subscription.
 
I've been using WinRAR since WinRAR was invented.

I should probably cut them a check. Some day.

I've been using rar since it was for dos
However i grew out of it when rosenthal did not want to upgrade hte 4mb dictioanry size adnd 7-zip could take op ti 1gb dictionary. rar simply lost its advantage quickly.

RZM is my posion today. strong comrpession fast decompression. big dictionary size with small ( in comparison) memory foot print. lacks multithreadinh support though
 
People still use winrar?
I actually did end up using it a few weeks ago... on some old xp/2k machine I was remote controlling for work... saved me a minute of time I guess as someone in the past had it installed already
 
Wow you must be really old.
Quite a few modders for the Papyrus racing games started using the ACE format when it was released. I guess the higher compression at the time allowed for quicker downloads when dial up was still king. My PC at the time had an Athlon XP 2000+ in it. Single core at 1.67 GHz, baby!
 
I remember the ACE format. There was a period in the mid to late 90's where ZIP, RAR, and ACE were all pretty regularly used. I think ACE was favored on Prodigy or Compuserve. One of the big all-in-one providers.
Having one program that could open all of the formats was a godsend for a little while. Power Archiver was the first one I can recall.
 
  • Like
Reactions: N4CR
like this
I remember the ACE format. There was a period in the mid to late 90's where ZIP, RAR, and ACE were all pretty regularly used. I think ACE was favored on Prodigy or Compuserve. One of the big all-in-one providers.
Having one program that could open all of the formats was a godsend for a little while. Power Archiver was the first one I can recall.

ISPs had preferred Archive software in the 90s? Why did they eventually stop this practice? And what did AOL favor? My grandfather told me his AOL floppy disks just had a .exe file on them.
 
ISPs had preferred Archive software in the 90s? Why did they eventually stop this practice? And what did AOL favor? My grandfather told me his AOL floppy disks just had a .exe file on them.

It was for the file repository section in their proprietary sections. You could download shareware programs, images, wave file clips, etc.
Pretty sure most files on AOL either used ZIP or no compression at all. It was one of the other ones that had a bunch of files in the ACE format. I think it was Prodigy, but that era is a little bit of a blur.
 
I still use winrar, what should I be using?
LZ4 or Bzip2. :p
Edit: 7z (lzma2) is probably better than both, but slower unless multithreaded.
 
Last edited:
Back
Top