Jump to content
Tuts 4 You
Sign in to follow this  
whoknows

WinRAR patches 19-year-old security vulnerability that put millions at risk

Recommended Posts

whoknows

After the security researchers informed WinRAR of their findings, the team patched the vulnerability with version 5.70 beta 1 of the software. Rather than attempt to fix the issue, the team opted to drop support for ACE archives entirely, which was probably the sensible option considering the only program capable of creating the archives, WinACE, hasn’t been updated since 2007.

https://www.theverge.com/2019/2/21/18234448/winrar-winace-19-year-old-vulnerability-patched-version-5-70-beta-1

bonus link - hirensbootcd.org

Edited by whoknows (see edit history)
  • Like 2

Share this post


Link to post
nimaarek

How to fix second file crc check's part to write a poc?

Edited by nimaarek (see edit history)

Share this post


Link to post
1nVI5i8ILLiTY

The vulnerability might have put millions "at risk", but realistically most likely affected not one single person at all.

  • Like 1

Share this post


Link to post
Teddy Rogers

WinACE... I recall this being quite a popular archive program/format decades ago. It has been a long time I can recall last coming across an ACE archive, I had forgotten it had even existed until I read this...

Ted.

Share this post


Link to post
Xyl2k

Here is a yara rule as it seem to rain samples according to mcafee

/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/

rule CVE_2018_20250 : AceArchive UNACEV2_DLL_EXP
{
    meta:
        description = "Generic rule for hostile ACE archive using CVE-2018-20250"
        author = "xylitol@temari.fr"
        date = "2019-03-17"
        reference = "https://research.checkpoint.com/extracting-code-execution-from-winrar/"
        // May only the challenge guide you
    strings:
        $string1 = "**ACE**" ascii wide
        $string2 = "*UNREGISTERED VERSION*" ascii wide
        // $hexstring1 = C:\C:\
        $hexstring1 = {?? 3A 5C ?? 3A 5C}
        // $hexstring2 = C:\C:C:..
        $hexstring2 = {?? 3A 5C ?? 3A ?? 3A 2E}
    condition:  
         $string1 at 7 and $string2 at 31 and 1 of ($hexstring*)
}

so far it matched all my know files.

================================================================================================================================================================
---------- MATCH: CVE_2018_20250 : AceArchive UNACEV2_DLL_EXP
FILE >>>>> C:/SBOX/temp/ace/0312885f07b5a028e64c6a2a440a8584c67adf2c0986e99447328c4bede4e102
FILE >>>>> C:/SBOX/temp/ace/0a8d46694dcd3c817ca507d3004366352926bed39897aa19c605bf407841605e
FILE >>>>> C:/SBOX/temp/ace/4bde9006a960da9388d3c45cbebb52ff5015e0fbe0c4d80177b480cba8abd5a0
FILE >>>>> C:/SBOX/temp/ace/642018f0cc2afa550f51516db2015d25f317be8dd8cdf736428dfc1e8d541909
FILE >>>>> C:/SBOX/temp/ace/7871204f2832681c8ead96c9d509cd5874ed38bcfc6629cbc45472b9f388e09c
FILE >>>>> C:/SBOX/temp/ace/a49d55cd7ca0dab2d84308d56bf3f7d6b3903135b9eccd8924ab1b695bb18d93
FILE >>>>> C:/SBOX/temp/ace/dcda4a01ab495145ba56c47ff2fe28dbd0b1088fb5c102577a75d9988e8e7203
FILE >>>>> C:/SBOX/temp/ace/e6e5530ed748283d4f6ef3485bfbf84ae573289ad28db0815f711dc45f448bec

 

  • Like 1

Share this post


Link to post
null_endian
On ‎3‎/‎9‎/‎2019 at 7:55 AM, 1nVI5i8ILLiTY said:

The vulnerability might have put millions "at risk", but realistically most likely affected not one single person at all.

Yup. Vulns are hyped way too much these days...

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...