A severe security flaw has been identified in WinRAR, the widely used file compression tool on Windows. This vulnerability, designated as CVE-2024-36052, impacts all versions of WinRAR up to 6.99. The discovery of this vulnerability highlights the potential risks posed by seemingly innocuous operations such as extracting files from a ZIP archive.
How the Vulnerability Works
The vulnerability stems from WinRAR’s inadequate validation and sanitization processes for file names within ZIP archives, according to Siddharth Dushantha. This oversight allows attackers to use ANSI escape sequences to alter the appearance of file names.
For those who are not aware, ANSI escape sequences are a set of codes that control the display features of text in command-line environments, typically beginning with the ESC character followed by a bracket.
When a user extracts a ZIP archive containing a malicious file named with these sequences, WinRAR misinterprets these codes as commands. This can lead to the display of a deceptive file name, fooling users into thinking they are opening a harmless file like a PDF or an image.
The Consequences of Exploitation
The exploit occurs when an unsuspecting user attempts to open what appears to be a benign file within WinRAR. Due to the flawed handling of file extensions, the program incorrectly executes a hidden malicious script instead of the expected file.
This script could be a batch (.bat) or command (.cmd) script that installs malware on the user’s computer while displaying a decoy document to mask the malicious activity.
This issue is critical because it allows attackers to execute harmful scripts on a user’s system, potentially leading to unauthorized data access, system damage, or malware installation without the user’s knowledge.
Protecting Your System
It is important to recognize that this issue is specific to the Windows version of WinRAR and is different from CVE-2024-33899, which impacts the Linux and UNIX versions of the software. Users of the Linux and UNIX versions of WinRAR face similar risks of screen output spoofing and denial-of-service attacks.
To safeguard against this vulnerability, users are urged to upgrade to version 7.00 of WinRAR or newer as these versions contain the necessary fix. Additionally, users should practice caution when opening files from unknown sources and enable file extension visibility in Windows settings to further protect against such threats.
Related Reads:
