Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to achieve WinRAR code execution vulnerability early warning, the content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

0x00 vulnerability background

On February 20, 2019, @ Nadav Grossman published an article about how he found a 19-year logic problem in WinRAR and successfully implemented code execution.

The CVE numbers related to WinRAR code execution are as follows:

CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, CVE-2018-20253

0x01 vulnerability details

The flaw is caused by UNACEV2.dll, an obsolete dynamic link library used by WinRAR, which was compiled in 2006 without any basic protection mechanisms (ASLR, DEP, etc.). The purpose of this dynamic link library is to deal with files in ACE format. During the decompression process, there is a directory traversal vulnerability that allows the decompression process to write a file to the boot entry, resulting in code execution.

The dynamic link library is also used by some compressed software on the market, and there may be the same code execution risk. 360CERT recommends that users can delete the UNACEV2.dll in the software directory to protect themselves.

Software that may be at risk is as follows:

Bandizip

< = 6.2.0.0 好压(2345 压缩) < = 5.9.8.10907 压缩 < = 4.0.0.1170 360 压缩已确认不受到该漏洞影新。其他产品请关注各自官网。 以下截图均为2019-02-21 14:00:05从各家官网下载安装后的安装目录截图 WinRAR存在的UNACEV2.dll Bandizip存在的UNACEV2.dll 好压存在的UNACEV2.dll 360压缩存在的UNACEV2.dll

WinRAR 5.70 Beta1 has removed the DLL

0x02 affects version

WinRAR < 5.70 Beta 1

0x03 repair recommendation

Upgrade to the latest version of WinRAR as soon as possible. The current version is 5.70 Beta 1.

Download address is as follows:

32-bit:

Http://win-rar.com/fileadmin/winrar-versions/wrar57b1.exe

64-bit:

Http://win-rar.com/fileadmin/winrar-versions/winrar-x64-57b1.exe

How to delete UNACEV2.dll

Select the appropriate software icon to open the right-click menu

Find the relevant file to perform the delete operation

Then it is recommended to restart the computer.

Other compression software is recommended to deal with it in the same way, or pay attention to update developments.

Bandizip < = 6.2.0.0

Good pressure (2345 compression) < = 5.9.8.10907

360 Compression < = 4.0.0.1170

360 compression has been confirmed to be updated today. For other products, please follow their official websites.

0x04 vulnerability effect

Before decompressing the malicious package

After decompressing the malicious package

On how to achieve WinRAR code execution vulnerability early warning is shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.