Researchers from McAfee have observed more than 100 different exploits for a now-patched 19-year-old remote code execution vulnerability in the WinRAR compression tool ever since the path traversal bug was disclosed last month.
One of the more unique exploit attempts to infect unpatched victims with malware using a bootlegged copy of Ariana Grande’s “Thank U, Next” album as a lure, reports Craig Schmugar, principal engineer and senior security research architect at McAfee, in a March 14 company blog post.
“When a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious payload is created in the Startup folder behind the scenes,” explains Schmugar. “User Account Control (UAC) does not apply, so no alert is displayed to the user. The next time the system restarts, the malware is run.”
With more 500 million users (according to the WinRAR website), WinRAR is used to create and view archives in .rar or .zip file formats, as well as unpack various archive files.
Revealed last February by researchers at Check Point Software Technologies, the flaw, CVE-2018-20250, affects WinRAR versions 5.61 and earlier. The problem was fixed in version 5.70, which was issued in a beta release last January and again in a stable release on Feb. 26.
The entry for CVE-2018-20250 in NIST’s National Vulnerability Database states that the bug emerges in unpatched versions “when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path… This logical bug allows the extraction of a file to an arbitrary location which is effectively code execution.”