A Critical 19 year old remote code execution vulnerability has been identified in the WinRAR which is currently being actively exploited in the wild. The vulnerability is tracked as CVE-2018-20250 and exists in the library ‘unacev2.dll‘, library used to extract the old and rarely used ACE archive format. This vulnerability allows attackers to completely take control of their target system by tricking the victim into opening a maliciously-crafted archive. Once the victim opens malicious archive file an executable file gets extracted to one of the Windows Startup folders, where the malicious file would automatically run on the next system reboot. A Proof-of-concept (PoC) exploit code for this WinRAR vulnerability is already available and published.

A large malspam email campaign distributing malicious RAR archive files trying to exploit this vulnerability has been observed. The campaign features more than 100 unique exploits for this vulnerability and this count is expected to go up in coming days.

Various other vulnerabilities have been also discovered at the same time within WinRAR, these include, CVE-2018-20251, CVE-2018-20252, CVE-2018-20253


Affected:
WinRAR versions prior to and including 5.61 are affected.


Impact:
CVE-2018-20250 is an absolute path traversal vulnerability in ‘unacev2.dll’ which leads to a remote code execution on the target machine. All an attacker has to do is convince user into opening a maliciously-crafted compressed archive file using WinRAR, while running it with administrator privileges or on a targeted system with UAC (User Account Control) disabled. If UAC is enabled then extraction to ‘C:\ProgramData’  folder fails and exploitation does not succeed.


Solution:
Please refer this KB article.


Summary
WinRAR Remote Code Execution Vulnerability (CVE-2018-20250) Exploited in the Wild
Article Name
WinRAR Remote Code Execution Vulnerability (CVE-2018-20250) Exploited in the Wild
Author
Publisher Name
SecPod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *