#VU17469 Privilege escalation in WinRAR - CVE-2018-20251

Cybersecurity Help s.r.o.

Published: 2019-02-11 | Updated: 2020-05-18

Vulnerability identifier: #VU17469

Vulnerability risk: Low

CVSSv4.0: 7.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2018-20251

CWE-ID: CWE-264

Exploitation vector: Local

Exploit availability: Yes

Vulnerable software:
WinRAR
Client/Desktop applications / Software for archiving

Vendor: RARLAB

Description

The vulnerability allows a local attacker to gain elevated privileges.

The vulnerability exists due to a validation function (in WinRAR code) that inspects the filename field for each compressed file in the ACE archive is being called before extraction of ACE archives. The extraction operation should be aborted and no file or folder should be extracted. However, the check of the return value from the validator function made too late (in UNACEV2.dll), after the creation of files and folders. A local attacker can disallow the filename by the validator function (for example, the filename contains path traversal patterns) and gain elevated privileges.

Mitigation
Update to version 5.70 Beta 1.

Vulnerable software versions

WinRAR: 4.00 - 5.61

External links
https://www.win-rar.com/whatsnew.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Multiple vulnerabilities in WinRAR