Remote code execution vulnerability found in older versions of WinRAR, update it now

Daniel Sims

Posts: 224   +10
Staff
In brief: Last week, a researcher discovered a vulnerability in older trial versions of the WinRAR file compression software. It allows for remote code execution—essentially allowing an attacker to intercept and change requests sent to WinRAR users.

Web security researcher Igor Sak-Sakovskiy published an article on October 20 detailing the WinRAR vulnerability with the assigned Common Vulnerabilities and Exposures ID CVE-2021-35052. The vulnerability affects WinRAR trial version 5.70, but not the latest iteration (v. 6.02), which developers updated in July. You can download it from TechSpot downloads section or from the WinRAR website.

Researchers discovered the vulnerability when they noticed a JavaScript error in version 5.70 by chance. Investigating further, they found it possible to intercept WinRAR's connection to the internet and change its responses to the end-user.

However, the exploit still triggers Windows security warnings except when running a docx, pdf, py, or rar file. To work, users have to click "Yes" or "Run" on the dialog box. Thus, users should be careful when these windows appear while running WinRAR. The attacker would also need to have access to the same network domain as the target.

Sakovskiy also notes that earlier versions of WinRAR are vulnerable to remote code execution through the more well-known exploit CVE-2018-20250 from 2019.

If you're unsure which version of WinRAR you have, after opening the program, click "help" at the top of the Window, then click "About WinRAR." For those who would prefer to switch, a good alternative program is 7-Zip, also available from TechSpot downloads.

Permalink to story.

 

ypsylon

Posts: 435   +376
I haven't used winrar for a long time. Nobody should because you've got 7zip
Then I guess I'm nobody.

Using Rar since DOS and then WinRar across all Winblows versions and will continue until WinRar project is dead. It always synergized well with Norton Commander and now Total Commander. Because 7zip is free it doesn't mean it's good/best or only choice.
 

Kosmoz

Posts: 535   +943
Then I guess I'm nobody.

Using Rar since DOS and then WinRar across all Winblows versions and will continue until WinRar project is dead. It always synergized well with Norton Commander and now Total Commander. Because 7zip is free it doesn't mean it's good/best or only choice.
We're old school, so yes to both WinRar and Total Commander.

Younger generations don't understand...
 

BSim500

Posts: 878   +2,049
I haven't used winrar for a long time. Nobody should because you've got 7zip
One big reason why people use WinRAR instead of 7zip is data integrity. Aside from the obvious that 7zip has no recovery records whatsoever (no ability to self-repair in the event of data corruption), its CRC32 is laughably out of date:-

1. Create 6x text files named a.txt, b.txt, c.txt, etc. Then add the following words, one word per file, no space / character returns, etc. Make sure each text file is the number of bytes shown:-

a.txt (7 bytes) with the word codding
b.txt (3 bytes) with the word gnu
c.txt (7 bytes) with the word petfood
d.txt (10 bytes) with the word eisenhower
e.txt (9 bytes) with the word graceless
f.txt (9 bytes) with the word Bigfooted

2.
Using 7zip, create an .7z archive containing those 6x files, then open it in 7-zip so you can see the CRC32 column. Result - Instant triple CRC32 collision using simple dictionary words. (a & b will both CRC32 as 69C8C72D, c & d will both CRC32 as D0132158, and e & f will both CRC32 as 30FFE775) (link).

3. Using WinRAR, create a .rar archive containing those same 6x files and make sure that "Use Blake2 file checksum" is ticked. Result - Completely different checksums (as they should be) (link).

I often use 7zip too but it desperately needs to drag itself out of 1961 as WinRAR is indeed light years ahead for data integrity features...
 
Last edited:

ZedRM

Posts: 702   +464
There is a simple method for those who don't want to update and have to buy an all new license: Don't allow WinRAR access to the internet. Firewalls exist for a reason.
 

Reehahs

Posts: 1,297   +969
One big reason why people use WinRAR instead of 7zip is data integrity. Aside from the obvious that 7zip has no recovery records whatsoever (no ability to self-repair in the event of data corruption), its CRC32 is laughably out of date:-

1. Create 6x text files named a.txt, b.txt, c.txt, etc. Then add the following words, one word per file, no space / character returns, etc. Make sure each text file is the number of bytes shown:-

a.txt (7 bytes) with the word codding
b.txt (3 bytes) with the word gnu
c.txt (7 bytes) with the word petfood
d.txt (10 bytes) with the word eisenhower
e.txt (9 bytes) with the word graceless
f.txt (9 bytes) with the word Bigfooted

2.
Using 7zip, create an .7z archive containing those 6x files, then open it in 7-zip so you can see the CRC32 column. Result - Instant triple CRC32 collision using simple dictionary words. (a & b will both CRC32 as 69C8C72D, c & d will both CRC32 as D0132158, and e & f will both CRC32 as 30FFE775) (link).

3. Using WinRAR, create a .rar archive containing those same 6x files and make sure that "Use Blake2 file checksum" is ticked. Result - Completely different checksums (as they should be) (link).

I often use 7zip too but it desperately needs to drag itself out of 1961 as WinRAR is indeed light years ahead for data integrity features...

That's a fantastic check.
 

0dium

Posts: 300   +349
One big reason why people use WinRAR instead of 7zip is data integrity. Aside from the obvious that 7zip has no recovery records whatsoever (no ability to self-repair in the event of data corruption), its CRC32 is laughably out of date:-

1. Create 6x text files named a.txt, b.txt, c.txt, etc. Then add the following words, one word per file, no space / character returns, etc. Make sure each text file is the number of bytes shown:-

a.txt (7 bytes) with the word codding
b.txt (3 bytes) with the word gnu
c.txt (7 bytes) with the word petfood
d.txt (10 bytes) with the word eisenhower
e.txt (9 bytes) with the word graceless
f.txt (9 bytes) with the word Bigfooted

2.
Using 7zip, create an .7z archive containing those 6x files, then open it in 7-zip so you can see the CRC32 column. Result - Instant triple CRC32 collision using simple dictionary words. (a & b will both CRC32 as 69C8C72D, c & d will both CRC32 as D0132158, and e & f will both CRC32 as 30FFE775) (link).

3. Using WinRAR, create a .rar archive containing those same 6x files and make sure that "Use Blake2 file checksum" is ticked. Result - Completely different checksums (as they should be) (link).

I often use 7zip too but it desperately needs to drag itself out of 1961 as WinRAR is indeed light years ahead for data integrity features...
That's a cool find, buuuut does it change anything in daily usage? Like I never had problems with it. Also it doesn't clutter the context menu like winrar does
 

BSim500

Posts: 878   +2,049
That's a cool find, buuuut does it change anything in daily usage?
The entire point of a checksum is to guarantee uniqueness, not "broken algorithms that cause common collisions are not a problem if I pretend they aren't". CRC32 (invented in 1975) was replaced by MD5 (invented in 1991), and MD5 in turn was declared "cryptographically broken and unsuitable for further use" way back in 2008 (link), as was SHA-1 in 2011 and they've all been replaced by +256 bit algorithms like SHA256 or BLAKE2 for checksums. CRC32 is laughably out of date by literally +30 years. And yes, recovery records do change things in daily usage, especially for long-term archives of irreplaceable data being significantly more resilient to bad sectors / flash charge leakage / bitrot on HDD's / SSD's / optical disks.

Also it doesn't clutter the context menu like winrar does
Options -> Settings -> Integration (can select which items to include / exclude, which file types to apply to, choose cascading menu or not, choose icons in context menu's or not, etc) is really not that hard to find...
 

rrwards

Posts: 214   +402
Any idea how Peazip fits into this? I can never remember if it's just a better UI version of 7zip or if it is its own FOSS archive tool.
 

RaXelliX

Posts: 32   +27
One big reason why people use WinRAR instead of 7zip is data integrity. Aside from the obvious that 7zip has no recovery records whatsoever (no ability to self-repair in the event of data corruption), its CRC32 is laughably out of date:-

1. Create 6x text files named a.txt, b.txt, c.txt, etc. Then add the following words, one word per file, no space / character returns, etc. Make sure each text file is the number of bytes shown:-

a.txt (7 bytes) with the word codding
b.txt (3 bytes) with the word gnu
c.txt (7 bytes) with the word petfood
d.txt (10 bytes) with the word eisenhower
e.txt (9 bytes) with the word graceless
f.txt (9 bytes) with the word Bigfooted

2.
Using 7zip, create an .7z archive containing those 6x files, then open it in 7-zip so you can see the CRC32 column. Result - Instant triple CRC32 collision using simple dictionary words. (a & b will both CRC32 as 69C8C72D, c & d will both CRC32 as D0132158, and e & f will both CRC32 as 30FFE775) (link).

3. Using WinRAR, create a .rar archive containing those same 6x files and make sure that "Use Blake2 file checksum" is ticked. Result - Completely different checksums (as they should be) (link).

I often use 7zip too but it desperately needs to drag itself out of 1961 as WinRAR is indeed light years ahead for data integrity features...
Also unlike 7zip, WinRAR can create more complex archives including self extracting ones. And WinRAR is in constant development where as 7zip receives only one or two updates a year.

I use 7zip only when I need maximum compression but for scripting, data integrity and new features WinRAR is my go to.