[German]A decade-old code execution vulnerability in a UNACEV2.DLL library file used by WinRAR, among other programs, threatens millions of users who use software that uses this component under Windows. Action is called for.
I had already seen the topic the night in the post Nasty code-execution bug in WinRAR threatened millions of users for 14 years, but still no time to have a closer look. Meanwhile German blog reader Bolko has added some more information as comments (thanks for that).
Path Traversal vulnerability in UNACEV2.DLL
Security researchers from Check Point Software discovered the vulnerability in UNACEV2.DLL and published it on February 19, 2019 in the article Extracting a 19 Year Old Code Execution from WinRAR. The background was that the security researchers wanted to undertake WinRAR a security check. WinRAR is used for unpacking different archive formats and is quite popular.
(WinRAR, Source: CheckPoint)
Such unpacking programs are always noticed when vulnerabilities in the unpacking routines can be abused for code execution. During the investigation of the WinRAR components, security researchers succeeded in uncovering a path traversal vulnerability in UNACEV2.DLL. This library is used to unpack archives in ACE format.
At first,the security researchers had difficulty figuring out how to exploit the vulnerability for code execution. The most obvious idea was to have WinRAR extract an executable file in an ACE archive to the Windows startup folder. Then Windows executes it with the next reboot.
The Absolute Path Traversal vulnerability found in UNACEV2.DLL makes it possible to specify the destination folder, regardless of which destination folder the user chose to unpack. The UNACEV2.DLL library file comes from a third-party vendor and has not been updated since 2005. This old DLL also does not use vulnerability mitigation techniques such as address space layout randomization (ASLR).
WinRAR dropped ACE support
According to CheckPoint the developers of WinRAR reacted quite quickly and removed the library file UNACEV2.dll to support the ACE format in WinRAR 5.70 Beta 1. On the WinRAR website you can find a corresponding note.
Nadav Grossman from Check Point Software Technologies informed us about a security vulnerability in UNACEV2.DLL library. Aforementioned vulnerability makes possible to create files in arbitrary folders inside or outside of destination folder when unpacking ACE archives.
WinRAR used this third party library to unpack ACE archives. UNACEV2.DLL had not been updated since 2005 and we do not have access to its source code. So we decided to drop ACE archive format support to protect security of WinRAR users.
So if WinRAR is used in a new version under Windows and the UNACEV2.DLL has been removed, the vulnerability should be fixed.
Wait, other software is affected too!
Now you must know that the library file UNACEV2.DLL is used by numerous Windows programs (xnView 2.47 etc.). If their developers have not removed this DLL, the vulnerability exists. Blog reader Bolko has pointed this out in this comment. Quote:
Insidious: If the ACE archives are renamed to RAR or ZIP, then they will still be unpacked if the unacev2.dll is present in the program folder of the unpacker or somewhere else in the path of the system and then the malware exe files can end up in the autostart.
This means that Windows users need to search in Windows Explorer for the library file UNACEV2.DLL on all drives. If the file is found, it should be deleted. However, the software in question will no longer work after this time. Antivirus software is also likely to be affected. It must therefore be clarified whether there are updated versions without the DLL.
Security-Risk: Avoid 7-Zip
New vulnerability Zip Slip revealed
7-Zip vulnerable – update to version 18.01
7-Zip version 18.6 released
Windows 10 V1809: Update KB4464455 fixes ZIP bug
Windows 10 V1809: ZIP bug confirmed