Severe vulnerability in WinRAR that exists for last 19 years

Filip Pokorný

Feb. 20, 2019

WinRAR, one of the world's most popular Windows file compression applications, has patched last month a severe security flaw (CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, and CVE-2018-20253) that can be abused to hijack users' systems just by tricking a WinRAR user into opening a malicious archive. The vulnerability resides in the UNACEV2.DLL library included with all WinRAR versions and it is responsible for unpacking archives in the ACE format. The researchers discovered a way to build malicious ACE archives that when decompressed used coding flaws in this library to plant malicious files outside the intended decompression path destination (for example, to plant malware in a Windows PC's Startup folder, malware that would execute after the next reboot, infecting and taking over the PC). WinRAR devs released WinRAR 5.70 Beta 1 to address this vulnerability which drops support for ACE archive formats altogether.

Proof of Concept: