WinRAR patches 19-year-old security vulnerability that put millions at risk

[whoknows]

After the security researchers informed WinRAR of their findings, the team patched the vulnerability with version 5.70 beta 1 of the software. Rather than attempt to fix the issue, the team opted to drop support for ACE archives entirely, which was probably the sensible option considering the only program capable of creating the archives, WinACE, hasn’t been updated since 2007.

https://www.theverge.com/2019/2/21/18234448/winrar-winace-19-year-old-vulnerability-patched-version-5-70-beta-1

bonus link - hirensbootcd.org

Edited February 22, 2019 by whoknows

[nimaarek]

How to fix second file crc check's part to write a poc?

Edited February 23, 2019 by nimaarek

[1nVI5i8ILLiTY]

The vulnerability might have put millions "at risk", but realistically most likely affected not one single person at all.

[Teddy Rogers]

WinACE... I recall this being quite a popular archive program/format decades ago. It has been a long time I can recall last coming across an ACE archive, I had forgotten it had even existed until I read this...

Ted.

[Xyl2k]

Here is a yara rule as it seem to rain samples according to mcafee

/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/

rule CVE_2018_20250 : AceArchive UNACEV2_DLL_EXP
{
    meta:
        description = "Generic rule for hostile ACE archive using CVE-2018-20250"
        author = "xylitol@temari.fr"
        date = "2019-03-17"
        reference = "https://research.checkpoint.com/extracting-code-execution-from-winrar/"
        // May only the challenge guide you
    strings:
        $string1 = "**ACE**" ascii wide
        $string2 = "*UNREGISTERED VERSION*" ascii wide
        // $hexstring1 = C:\C:\
        $hexstring1 = {?? 3A 5C ?? 3A 5C}
        // $hexstring2 = C:\C:C:..
        $hexstring2 = {?? 3A 5C ?? 3A ?? 3A 2E}
    condition:  
         $string1 at 7 and $string2 at 31 and 1 of ($hexstring*)
}

so far it matched all my know files.

================================================================================================================================================================
---------- MATCH: CVE_2018_20250 : AceArchive UNACEV2_DLL_EXP
FILE >>>>> C:/SBOX/temp/ace/0312885f07b5a028e64c6a2a440a8584c67adf2c0986e99447328c4bede4e102
FILE >>>>> C:/SBOX/temp/ace/0a8d46694dcd3c817ca507d3004366352926bed39897aa19c605bf407841605e
FILE >>>>> C:/SBOX/temp/ace/4bde9006a960da9388d3c45cbebb52ff5015e0fbe0c4d80177b480cba8abd5a0
FILE >>>>> C:/SBOX/temp/ace/642018f0cc2afa550f51516db2015d25f317be8dd8cdf736428dfc1e8d541909
FILE >>>>> C:/SBOX/temp/ace/7871204f2832681c8ead96c9d509cd5874ed38bcfc6629cbc45472b9f388e09c
FILE >>>>> C:/SBOX/temp/ace/a49d55cd7ca0dab2d84308d56bf3f7d6b3903135b9eccd8924ab1b695bb18d93
FILE >>>>> C:/SBOX/temp/ace/dcda4a01ab495145ba56c47ff2fe28dbd0b1088fb5c102577a75d9988e8e7203
FILE >>>>> C:/SBOX/temp/ace/e6e5530ed748283d4f6ef3485bfbf84ae573289ad28db0815f711dc45f448bec

 

[null_endian]

On ‎3‎/‎9‎/‎2019 at 7:55 AM, 1nVI5i8ILLiTY said:

The vulnerability might have put millions "at risk", but realistically most likely affected not one single person at all.

Yup. Vulns are hyped way too much these days...