Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Security

500 Million Users At Risk of Compromise Via Unpatched WinRAR Bug 129

An anonymous reader writes: A critical vulnerability has been found in the latest version of WinRAR, the popular file archiver and compressor utility for Windows, and can be exploited by remote attackers to compromise a machine on which the software is installed. "The issue is located in the 'Text and Icon' function of the 'Text to display in SFX window' module," Vulnerability Lab explained in a post on on the Full Disclosure mailing list. "Remote attackers are able to generate own compressed archives with malicious payloads to execute system specific codes for compromise."
This discussion has been archived. No new comments can be posted.

500 Million Users At Risk of Compromise Via Unpatched WinRAR Bug

Comments Filter:
  • Huh? (Score:2, Interesting)

    by gstoddart ( 321705 )

    I must admit some of these security exploits elude me a little, but I've read both of TFAs, and I guess my question is "what the heck is this SFX window and what's it for"?

    Why the heck is an archiving program executing arbitrary code in the first place? That's crazy.

    • SFX refers to the self-extractor piece.
      It lets you compress a bunch o' shit, then package it as an executable file.
      The executable contains the compressed shit, the decompression algorithm, and a short script about where to unpack shit to, what to title the SFX window, etc.

      Run the executable and your 8 MB download turns into a 25 MB folder with shit in it.
      People distribute self-extractors because you don't need to rely on them having WinRAR installed, don't need to rely on them knowing where to put the files

  • by Anonymous Coward

    If you download and willingly execute an .exe you're already fucked.

  • Click-bait BS (Score:5, Insightful)

    by pegr ( 46683 ) on Wednesday September 30, 2015 @02:10PM (#50629461) Homepage Journal

    So a self-extracting RAR can be rigged to exploit your machine. A self-extracting RAR is an executable. So a executable from an untrusted source can exploit your box. Wake me when you have a real vulnerability.

    Oh, and samzenpus, that was the most clickbait bullshit Slashdot headline in months. You should be horsewhipped.

    • Oh, I don't know ... it's a real vulnerability, dated Monday, and rated as a 9 (I assume out of 10) ... in terms of being an actual thing and showing up in a timely manner, I'm not sure I'd call it clickbait.

      Now, anything Nerval's Lobster posts which links to Dice? That I'd call clickbait.

      • it was a so real vulnerability that the winRAR author set it into a WONTFIX. And he's right.

    • Re:Click-bait BS (Score:5, Insightful)

      by tlhIngan ( 30335 ) <.slashdot. .at. .worf.net.> on Wednesday September 30, 2015 @03:26PM (#50630329)

      So a self-extracting RAR can be rigged to exploit your machine. A self-extracting RAR is an executable. So a executable from an untrusted source can exploit your box. Wake me when you have a real vulnerability.

      Actually, the problem is NOT the executable. The SFX part is NOT compromised at all. It's completely legitimate standard WinRAR SFX.

      However, the bug is that there's a buffer overflow in the SFX program - you can give it a malicious HTML file that cause it to execute code.

      The deal is that all a malicious user has to do is inject their file into a RAR archive and set a flag to have the SFX program show it as part of the SFX process. The SFX stub will check clean by all anti-virus because it's the same SFX stub as what WinRAR ships with.

      It's entirely possible that you cannot detect this - if the archive is password protected, for example, so you can't detect the bad HTML file at all. And the SFX will still check clean, but really infect your PC.

      The only workaround is to use WinRAR itself to open the SFX

  • So... you can use WinRAR to create an executable file that executes code?

    I guess I'd better get cl.exe and gcc off my systems, too.

  • And they're complaining about security flaws in closed-source, for-profit software.

  • Well... Not to underestimate the finding, but frankly it's nothing new. Executables may carry malicious code, no matter how innocent they look.

    To avoid running the executable, you can use WinRAR (or 7Zip etc) to open the SFX as if it were a regular archive.

  • How is this a remote exploit? It seems you have to download the malicious file and run it.
    • by pegr ( 46683 )

      "remote" as in, unlikely to affect users smart enough to avoid running untrusted binaries.

  • Using a self extracting winRAR file as a vector to run code on Windows - is a vulnerability is Windows.

    'Execution of poc.pl aborted due to compilation errors.'
  • See samzenpus, it's not difficult to think up an accurate title :)
  • And require a crack to get working properly? Why would anyone still use that crap. As everyone else has said, 7-zip has I thought, been standard for like 5 years, which is eternity in internet time... Do the slashdot editors still use winrar or something because they are stuck in the glory days of yore?

    That, or they really are out of tune with the windows software scene.

Unix: Some say the learning curve is steep, but you only have to climb it once. -- Karl Lehenbauer

Working...