A flaw in WinRAR could lead to remote code execution

A vulnerability in the WinRAR is a trialware file archiver utility for Windows could be exploited by a remote attacker to hack a system.

Positive Technologies researcher Igor Sak-Sakovskiy discovered a remote code execution vulnerability, tracked as CVE-2021-35052, in the popular WinRAR trialware file archiver utility for Windows.

The vulnerability affects the trial version of the utility, the vulnerable version is 5.70.

“This vulnerability allows an attacker to intercept and modify requests sent to the user of the application. This can be used to achieve Remote Code Execution (RCE) on a victim’s computer. It has been assigned the CVE ID – CVE-2021-35052.” reads the post published by Sak-Sakovskiy. “We found this vulnerability by chance, in WinRAR version 5.70.”

The researchers installed the software and noticed that it was producing a JavaScript error, the specific error indicates that the Internet Explorer engine is rendering this error window.

After a series of test, the expert noticed that after the trial period has expired, the software started displaying the error message, one time out of three executions. This window used to display the error uses mshtml.dll implementation for Borland C++ in which WinRAR has been written.

The expert used Burp Suite as a default Windows proxy to intercept traffic generated when the message is displayed.

The analysis of the response code sent when WinRAR alerts the user about the end of the free trial period via “notifier.rarlab[.]com” revealed that modifying it to a “301 Moved Permanently” redirect message if was possible to cache the redirection to a malicious domain for any subsequent request. Experts also noticed that an attacker with access to the same network domain carry out ARP spoofing attacks to remotely launch applications, retrieve local host information, and run arbitrary code.

“Next, we attempted to modify intercepted responses from WinRAR to the user. Instead of intercepting and changing the default domain “notifier.rarlab.com” responses each time with our malicious content, we noticed that if the response code is changed to “301 Moved Permanently” then the redirection to our malicious domain “attacker.com” will be cached and all requests will go to the “attacker.com”.” continues the expert. “Next, we attempted to modify intercepted responses from WinRAR to the user. Instead of intercepting and changing the default domain “notifier.rarlab.com” responses each time with our malicious content, we noticed that if the response code is changed to “301 Moved Permanently” then the redirection to our malicious domain “attacker.com” will be cached and all requests will go to the “attacker.com”.”

Experts pointed out that vulnerabilities in third-party software pose serious risks to organizations, they can be exploited to access any resource of the system and potentially of the network hosting it.

“It’s impossible to audit every application that could be installed by a user and so policy is critical to managing the risk associated with external applications and balancing this risk against the business need for a variety of applications. Improper management can have wide reaching consequences.” concludes the post.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WinRAR)

[adrotate banner=”5″]

[adrotate banner=”13″]