Executable installers are vulnerable^WEVIL (case 25): WinRAR's installer and self-extractors allow arbitrary (remote) code execution and escalation of privilege

["Stefan Kanthak" <stefan.kanthak () nexgo de>]

Hi @ll,

the executable installers of WinRAR 5.30 and earlier versions
as well as ALL self-extracting archives created with them
load and execute UXTheme.dll, RichEd32.dll and RichEd20.dll
from their "application directory".

For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for
"prior art" about this well-known and well-documented vulnerability.


If an attacker places the DLLs named above in the users
"Downloads" directory (for example per drive-by download or
social engineering) this vulnerability becomes a remote code
execution.

Due to the application manifest embedded in the executable
installer which specifies "requireAdministrator" it is run
with administrative privileges ("protected" administrators
are prompted for consent, unprivileged standard users are
prompted for an administrator password); execution of the
DLLs therefore results in an escalation of privilege!


See <http://seclists.org/fulldisclosure/2015/Nov/101>
and <http://seclists.org/fulldisclosure/2015/Dec/86>
plus <http://seclists.org/fulldisclosure/2015/Dec/121>
for more details.


RARLabs published WinRAR 5.31 on 2016-02-04:
<http://www.rarlab.com/rarnew.htm> 


stay tuned
Stefan Kanthak

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/