WinRAR Flaw Lets Hackers Run Programs When You Open RAR Archives

A critical vulnerability (CVE-2023-40477) has been patched in WinRAR, enabling remote attackers to execute arbitrary code by luring victims into opening a specially crafted RAR file. The severity rating is only 7.8 though due to user deception being necessary. BleepingComputer reports: The vulnerability was discovered by researcher "goodbyeselene" of Zero Day Initiative, who reported the flaw to the vendor, RARLAB, on June 8th, 2023. "The specific flaw exists within the processing of recovery volumes," reads the security advisory released on ZDI's site. "The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer."

RARLAB released WinRAR version 6.23 on August 2nd, 2023, effectively addressing CVE-2023-40477. Therefore, WinRAR users are strongly advised to apply the available security update immediately. Apart from the RAR4 recovery volumes processing code fix, version 6.23 addresses an issue with specially crafted archives leading to wrong file initiation, which is also considered a high-severity problem.

Hello, Russia

[edis]

ZIP had to be settled on long ago as a professional and only choice of archiving.

Re:

[bloodhawk]

ZIP is the choice of amateurs not professionals.

Re:

[gweihir]

Zip? The hallmark of the true amateurs that mistake themselves for "professionals"....

Re:

[edis]

Then go for your WinRAR from ruZZia with love.

Re:

[drinkypoo]

It's all 7z now. Why would you use RAR today? And by extension, why would you use WinRAR when you can use 7zFM?

Re:

[edis]

OK, here is the way I think over it:
1. Particular speed/size wins, you might be advocating by pointing to another archive form, are not essential when performance and space are very much secondary concern nowadays
2. Software, coming from particular countries, is of much bigger concern
3. I do believe, that integral part of the OS, serving the needs of archiving and extracting, is proper engineering design and correctly assigned responsibility - as such, it's all about ZIP
4. When working on clients' computers

Re:

[AmiMoJo]

Windows 11 is getting, or maybe has already got, native support for 7zip and RAR files. I think both GNOME and KDE support it by default on most distros.

It's the lack of 7zip support by default on Windows 10 that is holding it back. End of support for 10 is early 2025, then we will see what happens to the hundreds of millions, maybe billions of PCs unable to upgrade to 11.

The only thing that would improve 7zip is support for better compression of JPEG. It's possible to losslessly compress JPEG files by deco

Re:

[gweihir]

Why would I use RAR? And on Windows? Seriously? You just outed yourself as one of those "professionals".

Re:

[Uldis Segliņš]

Lol, no! Zip is convenient for home use, but not for serious IT work. For example - filename encoding standard adherence is "we do whatever we like and you can not guess what it will be". And filename is located two places, sometimes differing. Errorreporting sometimes is at correct level, sometimes not. It is not the worst to work with, but some time wasted will inevitably go up. Heck no with zip!

Re:

[edis]

We have other fleet of compression/packing utilities "for serious IT work" on "serious OSes". In the context of the discussed article, we are covering application of WinRAR - which is for not serious OS, exists not for serious reasons, as historical possibility to split large archives into chunks of floppy disks (assuming they have no bad sectors). Please do not portray yourself high flight professional, if you are not ready to accept limited domain of this discussion professionally.

Re:

[The MAZZTer]

Careful, you just made every Linux user angry.

Re:

[OrangAsm]

Nah, neither one read that post.

Re:

[edis]

I am also Linux user, early bird at it, but I do not bind it to WinRAR usage domain. Of course, we have solid Unix-tribe tradition on similar needs, just that it has little say as to this article.

Don't worry

[gamblers-ruin]

This flaw is only in the unregistered version.

Re:

[supremebob]

Yeah... maybe they should have only offered the patch to the (around 12) people still alive who actually registered WinRAR.

The rest of those deadbeats deserve what's coming to them!

Re:

[Briareos]

*breathes a sigh of relief*

They called me mad for registering RAR in the 90ies, but I knew registering it would come in handy someday! I just knew! BWAHAHAHAHA!

(My registration from then still works today... :D)

Why even use Rar anymore?

[jonwil]

7z is as good as (if not better than) Rar and it's free and open unlike the proprietary Rar format.

Re:

[sinkskinkshrieks]

7z is generally slow AF. xz is too. tar cf foo.tar.zstd --use-compress-program zstd .....

Re: Why even use Rar anymore?

[sodul]

+1 for zstd, much better compression and speed.

Re:

[drinkypoo]

Yet another standard, though.

7zip is slow but good. If I want fast I use tar and pigz. Then at least I get a file that everybody can handle.

Lol

[sinkskinkshrieks]

I only use WinRAR on DOS or Windows = XP for retro warez, and mostly use macOS and Linux, so I guess I'm not the best target.

Am I one of the few people who uses WinRAR?

[ctilsie242]

I know I'm the odd man out here, but WinRAR has a few things that are unique, and with the way I use it, the vulnerability isn't really an issue. And yes, I have registered it, 1+ copy for every machine.

1: The recovery records are a nice thing to have for long term archiving. I have pulled files from 20+ years ago, and even with damage to archives, because I used recovery records, I was able to completely recover the contents. Yes, I could use PAR2, but PAR2 support requires a lot more hoops to jump through than WinRAR.

2: The archive segmentation and recovery volumes are nice.

3: It is easily used via a cron job for backups, and it offers good compression as well as deduplication, around the level of 7Zip if I choose to use solid archives, but I prefer trading size for a bit more recoverability, so I don't use solid archives, and add a 3-5% recovery record.

4: It has decent AES encryption.

5: Every unarchiver supports it. The unrar source code is, IIRC, freely available, so opening a WinRAR archive is easy.

Overall, it works well for a nightly backup program, once you get used to the command line, and is ideal for long term archives because it can not just detect CRC errors (especially if BLAKE2 is enabled), but perhaps repair them.

Re:

[ctilsie242]

Agreed that ZFS has all this, as well as btrfs+ LUKS, but what is nice is having the ECC "follow" the archives and files, so whatever medium it is sitting on, be it disk, tape, cloud, SD cards, archives can be verified, if not repaired.

Flaw?

[madcat_sun]

more like a feature.

Lazy Programmers

[techno-vampire]

This is nothing more than a simple buffer flow, of the type I'd have thought had been eliminated long ago. All you need to do to avoid it is use bounds checking to make sure that your input strings aren't bigger than your buffer or, if you prefer, use input functions and string manipulation functions that have the maximum number of bytes accepted as an argument/parameter, instead of those that don't. If you can't input (or have read in from a file) an arbitrary number of bytes, you can't create a buffer overflow.

Re:

[real_nickname]

Not lazy, everyone make mistake. Buffer overflow happens every time: https://www.cvedetails.com/vul... [cvedetails.com] Easy to fix, hard to spot.

Re:

[techno-vampire]

My post wasn't suggesting how to fix them, but how to prevent them. And, making lint (or whatever equivalent you use, and you do use it, don't you?) give warnings every time it finds the unbounded form of an input or string manipulation function would go a great way to preventing them.

Why bother?

[Bu11etmagnet]

> A critical vulnerability (CVE-2023-40477) has been patched in WinRAR, enabling remote attackers to execute arbitrary code by luring victims into opening a specially crafted RAR file.

If patching the vulnerability enables attackers to execute arbitrary code, perhaps it would have been better to leave it unpatched.

Re:

[greytree]

You people and your sensible editing demands.

Still a pirate standard

[sikiriki]

Thus whoever gets "stuff" compressed in rar format, patch it up asap.

Working as Designed

[Bill, Shooter of Bul]

WONT FIX

Thatâ(TM)s a good reason to stick to ARJ

[Vidar Leathershod]

I mean, all we ever needed was ARJ, and if you needed more compression, the same guy wrote JAR, which was unfortunately the name that Sun used for Java archives. JAR compressed more than RAR, anyway.

https://arjsoftware.com/jar.ht... [arjsoftware.com]