Users are advised to upgrade their WinRAR installations to fix two high-severity flaws that attackers could exploit to execute arbitrary code. The RAR archive format, which is associated with WinRAR, has been abused and exploited by cybercriminals before due to its long history of usage and popularity on the internet.
Vulnerabilities could allow execution of malicious code
One of the vulnerabilities is tracked as CVE-2023-40477 and was found by a researcher using the name goodbyeselene who reported it through Trend Micro’s Zero Day Initiative (ZDI) program. It is rated 7.7 on the CVSS scale, which correlates to high severity. “This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR,” the ZDI advisory reads. “User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.”
The flaw is a buffer overflow condition that stems from the way WinRAR processes recovery volumes (.REV files). Recovery volumes are special files that WinRAR creates when an archive is split into multiple parts (volumes) and allows the program to reconstruct a missing or damaged file in a volume set. The issue is caused by improper validation of user-supplied data in .REV files that can result in memory access beyond the allocated buffer. This can be exploited to execute code in the context of the WinRAR process.
The second vulnerability, mentioned in the WinRAR 6.23 release notes, can lead to the execution of the wrong file when the user double clicks on an item inside a specially crafted archive. Andrey Polovinkin from Group-IB’s Threat Intelligence unit is credited with reporting this issue, but it’s not clear if he discovered it himself or found it being used in attacks.
Long history of attackers exploiting RAR
The RAR archive format dates back to 1993 and gained widespread popularity because of its good compression ratio and its ability to create split archives — archives split into smaller parts. This allowed the easier distribution of large files at a time in the early days of the internet when network instability could easily result in the corruption of downloaded files.
RAR is still popular today despite being a proprietary format and as a result Microsoft is testing native read-only support for it and other archive formats like 7z in Windows 11. Until that’s implemented, users will have to rely on the WinRAR archive manager to create or unpack such archives, and according to the program’s developers, over 500 million users do.
The widespread use of the RAR archive format has also led to cybercriminals adopting it to distribute malware via email, either as attachments or as URLs pointing to such files. The fact that the format also supports password protection for archives made it a good delivery mechanism for attackers because email security solutions can’t automatically unpack and scan the contents of password protected archives.
WinRAR itself has also come under attack before. In 2019 attackers exploited a remote code execution issue in WinRAR’s handling of .ACE archives — WinRAR can handle multiple archive types aside from RAR. Since the WinRAR developers no longer had access to the source code for the component that handled the proprietary ACE format, they completely removed support for it in later versions after the flaw was discovered.