ALERT: WinRAR Remote Code Execution Vulnerability (CVE-2018-20250) Exploited in the Wild

  • Post author:
  • Reading time:3 mins read


A Critical 19-year-old remote code execution vulnerability has been identified in the WinRAR, which is currently being actively exploited in the wild. The vulnerability is tracked as CVE-2018-20250 and exists in the library ‘unacev2.dll‘, a library used to extract the old and rarely used ACE archive format. A reliable vulnerability management tool can remediate these.

This vulnerability lets attackers control their target system completely by tricking the victim into opening a maliciously crafted archive. Once the victim opens the malicious archive file, an executable file is extracting to one of the Windows Startup folders. Where the malicious file will automatically run on the next system reboot. A Proof-of-concept (PoC) exploit code for this WinRAR vulnerability is already available and published. A patch management software can patch these attacks.

A large malspam email campaign distributing malicious RAR archive files trying to exploit this vulnerability is in observation. The campaign features more than 100 unique exploits for this vulnerability and this count is expectation to go up in the coming days.

Various other vulnerabilities have also been discovery at the same time within WinRAR; these include CVE-2018-20251, CVE-2018-20252, CVE-2018-20253


Affected:
WinRAR versions prior to and including 5.61 are not behaving properly.


Impact:
CVE-2018-20250 is an absolute path traversal vulnerability in ‘unacev2.dll’, which leads to remote code execution on the target machine. An attacker must convince the user to open a maliciously-crafted compressed archive file using WinRAR while running it with administrator privileges or on a targeted system with UAC (User Account Control) disabled. If UAC is enabling, then extraction to the ‘C:\ProgramData’  folder fails, and exploitation does not succeed.


Solution:
Please refer this KB article.