Multiple vulnerabilities in WinRAR

1) Privilege escalation

EUVDB-ID: #VU17468

Risk: Low

CVSSv3.1: 8.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2018-20250

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a local attacker to gain elevated privileges.

The vulnerability exists due to a logical bug. A local attacker can craft the filename field of the ACE format, cause the destination folder (extraction folder) to be ignored, and the relative path in the filename field to become an absolute Path, extract a file to an arbitrary location and execute arbitrary code with elevated privileges.

Mitigation

Update to version 5.70 Beta 1.

Vulnerable software versions

WinRAR: 4.00 - 5.61

External links

http://www.win-rar.com/whatsnew.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted archive.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

2) Privilege escalation

EUVDB-ID: #VU17469

Risk: Low

CVSSv3.1: 7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-20251

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a local attacker to gain elevated privileges.

The vulnerability exists due to a validation function (in WinRAR code) that inspects the filename field for each compressed file in the ACE archive is being called before extraction of ACE archives. The extraction operation should be aborted and no file or folder should be extracted. However, the check of the return value from the validator function made too late (in UNACEV2.dll), after the creation of files and folders. A local attacker can disallow the filename by the validator function (for example, the filename contains path traversal patterns) and gain elevated privileges.

Mitigation

Update to version 5.70 Beta 1.

Vulnerable software versions

WinRAR: 4.00 - 5.61

External links

http://www.win-rar.com/whatsnew.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted archive.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Out-of-bounds write

EUVDB-ID: #VU17470

Risk: Low

CVSSv3.1: 7.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-20252

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: Yes

Description

The vulnerability allows a local attacker to gain elevated privileges.

The vulnerability exists due to out-of-bounds write during parsing of crafted ACE and RAR archive formats. A local attacker can supply specially crafted input, trigger memory corruption and execute arbitrary code with elevated privileges.

Mitigation

Update to version 5.70 Beta 1.

Vulnerable software versions

WinRAR: 4.00 - 5.61

External links

http://www.win-rar.com/whatsnew.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted archive.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Out-of-bounds write

EUVDB-ID: #VU17819

Risk: Low

CVSSv3.1: 7.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-20253

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: Yes

Description

The vulnerability allows a local attacker to gain elevated privileges.

The vulnerability exists due to out-of-bounds write during parsing crafted LHA / LZH archive formats. A local attacker can supply specially crafted input, trigger memory corruption and execute arbitrary code with elevated privileges.

Mitigation

Update to version 5.70 Beta 1.

Vulnerable software versions

WinRAR: 4.00 - 5.60

External links

http://www.win-rar.com/whatsnew.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted archive.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.