Security Alerts 19 Year Old WinRAR Vulnerability Disclosed
Thursday, Feb 21, 2019
A vulnerability in how WinRAR handles ACE archives was disclosed on February 21st. Legitimate ACE archives can only be generated by one program, WinACE, which has not seen any updates since at least November 2007. The vulnerability is specifically in unacev2.dll, which contains the code for how to decompress ACE archives. Due to how ACE archives store file paths and flaws in unacev2.dll, a malicious archive can be created to extract files anywhere in the file system, regardless of the actual intended destination for the archived files.
This exploit can be done with files of any file type that WinRAR supports, as WinRAR handles archives based on magic bytes and not file extension.
A patch is available in WinRAR 5.7. The patch simply removes support for the ACE format.
Organizations are also encouraged to review if any other programs are using the unacev2.dll, as this is the source of the vulnerability and could be used in exploits of other programs.