The attack requires access to the same network, compromised router, or fake Wi-Fi hotspot
Positive Technologies researcher, Igor Sak-Sakovsky has discovered a vulnerability in the WinRAR archiver, which has more than 500 million users worldwide. The vulnerability affects WinRAR versions prior to 6.02 beta 1; attacks can be carried out remotely, and no authorization is required.
The bug was assigned the identifier CVE-2021-35052 (vendor notification, vulnerability details) and a score of 8.2 on the CVSSv3 scale, which corresponds to a high threat level. The issue was discovered in the WinRAR web notifier, which is used to display notifications after WinRAR's first launch or expiry of the trial period. In such cases, the WinRAR web notifier goes to HTTPS://notifier.win-rar.com/.
"In vulnerable versions of WinRAR, web requests sent by the WinRAR web notifier can be intercepted as part of an MITM (man-in-the-middle) attack, or to create a backdoor or carry out an RCE attack—execution of arbitrary files from a remote SMB server," explains Igor Sak-Sakovsky. "A successful attack requires setting up a fake Wi-Fi hotspot, hacking the router, spoofing the DNS, or just being on the same network as the victim. When running files from an SMB server, there are denylist restrictions on executable file extensions. In particular, when launching .bat, .vbs, .exe, and .msi files, a notification about the malicious file will be displayed with suggested actions. But given that WinRAR lacks an auto-update feature, and vulnerable versions are common, an attacker can bypass the restrictions and mask the launch using old exploits for WinRAR or Microsoft Office."
From a technical point of view, the vulnerability is caused by the WinRAR web notifier's use of the incorrectly configured web browser module. Such errors can be detected during penetration testing, or by using an application security analyzer, such as PT Application Inspector.
To fix the issue, the vendor recommends installing WinRAR 6.02 beta 1 or a newer version of the product.
Vulnerability management systems, such as MaxPatrol VM, can automate the detection and prioritization of such vulnerabilities. SIEM-class systems (in particular, MaxPatrol SIEM) can identify signs of penetration (in the event, that an update cannot be installed), as well as detect suspicious behavior on the server, log incidents, and halt the advance of intruders in the corporate network.