Earlier this week, a critical, new remote code execution vulnerability affecting WinRAR v 5.21 was disclosed by security researcher Mohammad Reza Espargham. WinRAR is a highly popular file compression utility, used by many worldwide.
According to Espargham, the vulnerability allows remote attackers to execute unauthorized system-specific code to compromise a target computer. The issue is located in the "Text and Icon" function of the "Text to display in SFX window" module. Remote attackers are able to generate their own compressed archives with malicious payloads to execute system-specific code for compromise.
Symantec Security Response has analyzed both the proof of concept from Espargham along with an additional proof of concept published today on Exploit-DB.
The vulnerability requires an attacker to use social-engineering methods to trick a user into running a malicious executable file saved as a self-extracting archive (SFX) file on their computer.
Exploit-DB Our analysis also concludes that the exploit published in Exploit-DB is too difficult to pull off as well. To exploit this vulnerability, an attacker must use ARP- and DNS-spoofing to obtain a legitimate, but expired copy of WinRAR to run arbitrary remote code when it is executed. While the exploit is legitimate, it is unlikely to be a significant issue in real-world attempts because of the complexity and required level of network access.
Figure. WinRAR exploit proof of concept on Exploit-DB
Mitigation Symantec Security Response would like to take this opportunity to remind users that self-extracting archive files should be treated in the same fashion as potentially dangerous executable files. Executing untrusted files regardless of their origin runs the usual risks, independent of this new vulnerability. Symantec recommends that users do not open or execute unexpected files or files from an unknown source.