Bug in WinRAR Software Could Let Attackers Hack your computer (24th October 2021)

Ref# AL2021_35 | Date: Oct 24th 2021

A new vulnerability has been detected in the WinRAR trialware file archiver utility for windows that could be exploited by remote attackers to perform arbitrary code on targeted systems; emphasizing how vulnerabilities in such software could become a gateway for a schedule of attacks.

Summary

Researcher Sak-Sakovskiy, from Positive Technologies, identified the vulnerability as being able to allow attackers to intercept and modify requests sent to users of the application. Tracked as CVE-2021-35052, the bug affects the trial version of the software running version 5.70. Taking into consideration that this could be used to achieve remote code execution (RCE) on the victims computer.

How it works

The bug operates through a JavaScript error being rendered by MSHTL (aka Trident), which is a proprietary browser engine for the now-discontinued Internet Explorer and is also used in Office suite to render web contents inside Word, Excel, and PowerPoint files, which led to the discovery of the error window being displayed once every three times when the application has launched after the expiry of the trial.

The bug can be abused to cache the redirection to an attacker-controlled malicious domain for all subsequent requests by intercepting the response code sent when WinRAR alerts the user about the end of the free trial period via notifier.rarlab[.]com and reform it to a 301 Moved Permanently redirect message.

What is also alarming, is that knowing an attacker already has access to the same network and can execute ARP spoofing1 attacks to remotely launch an application or retrieve localhost information and even run arbitrary code.

For more information on this vulnerability, kindly follow this URL:

https://swarm.ptsecurity.com/winrars-vulnerable-trialware-when-free-software- isnt-free/

______________________________________________________

1. https://www.imperva.com/learn/application-security/arp-spoofing/

Remediation

Currently, there is no detailed patch available for this kind of vulnerability. However, the Guyana National CIRT recommends the user use the flowing measure to avoid vulnerability.

  • Implement policies for managing the use of third-party applications.

  • Avoid using free versions of application programs.

PDF Download: Bug in WinRAR Software.pdf

References