NSFOCUS reserves all the rights to modify and interpret this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS does not provide any commitment or promise on this advisory. This advisory is only used to describe a potential risk. Users who cannot upgrade to the latest version for the time being can protect against this vulnerability by deleting UNACEV2.DLL from the WinRAR installation directory. Therefore, users can upgrade WinRAR to this version to protect against this vulnerability. WinRAR 5.70 Beta 1 deletes UNACEV2.dll so as not to decompress. Following is an incomplete list of compression tools incorporating UNACEV2.dll.ģ Recommended Solution 3.1 Version Upgrade Users of these tools should also check for official upgrade notices or delete UNACEV2.dll. Our inspection finds that some other compression tools also incorporate UNACEV2.dll and are therefore possibly affected by this vulnerability. As the most popular compression tool, WinRAR has more than 500 million users around the world. WinRAR is a Windows data compression/decompression tool that can be used to create and view RAR or ZIP compression files and decompress files of various compression formats. Now WinRAR has to completely stop supporting the vulnerable format (.ace). This vulnerability has been in WinRAR for more than 19 years. This indicates that an attacker could write a malicious file to an arbitrary path, thus making it possible to plant a backdoor trojan. ace files, leading to directory traversal. The vulnerability exists in UNACEV2.dll in WinRAR, which does not properly sanitize file names when decompressing. When a victim opens this malicious file with WinRAR, the attack is complete. An attacker could exploit this vulnerability by crafting an archive and then tricking victims into downloading it by means of a phishing email, net disk, or forum. Recently, a security researcher found a logical bug in WinRAR using the WinAFL fuzzer and exploited it to gain full control over a victim’s computer.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |