back to article Smuggle mischievous JavaScript into WinRAR archives? Sure, why not

The popular WinRAR compression software can be abused to produce self-extracting archives that execute smuggled-in JavaScript code when decompressed. A proof-of-concept exploit to pull off the trick has been published, and its creator reckons it works on all versions of WinRAR. It's not quite the end of the world, though: …

Page:

  1. Zmodem

    good job 7zip has better compression ratio`s on all types of files

    1. Anonymous Coward
      Anonymous Coward

      Indeed.

      I recall doing a factory restore on a netbook the other week, one of the factory bundled applications was WinRAR. I downloaded 7-zip and uninstalled WinRAR just out of principle (WinRAR is commercial shareware, 7-zip is opensource freeware).

      Looks like it was the right decision.

    2. Anonymous Coward
      Anonymous Coward

      Yes, there is only one time I use WinRAR these days, and that's when I encounter a RARv5 archive, as they can (at present) only be decompressed by genuine RAR products. Once the format is reverse-engineered, then perhaps I can abandon this product again.

      1. Rol Silver badge

        I unpack everything in Linux, because:-

        1. Linux has all the tools needed for free

        2. Linux is highly unlikely to be infected by a contagion designed for Windows.

        3. Linux has all the tools needed for free

        and lastly Linux has all the tools needed for free.

        1. Just Enough

          Dear Linux user..

          Why do people reply with posts like this? It's like reading an article about a cat problem, and posting just to tell people that you own a dog, and dogs don't get feline infections.

          Good for you, Mr Dog Owner, but your input is not relevant and not interesting.

          1. Rol Silver badge

            Re: Dear Linux user..

            Did I mention it was free.

            1. dogged

              Re: Dear Linux user..

              So is 7zip.

              Shut up.

            2. K Silver badge
              Gimp

              Re: Dear Linux user..

              "Did I mention it was free."

              That is what your mum said... were you listening in again?

          2. phil dude
            Linux

            Re: Dear Linux user..

            yes, but I might not own a cat but I can still catch the diseases it carries....

            P.

          3. Rick Giles
            Linux

            Re: Dear Linux user..

            Why do people reply with posts like this? It's like reading an article about a cat problem, and posting just to tell people that you own a dog, and dogs don't get feline infections.

            A more apt description has never been made.

            Linux is loyal like a dog and can be trained.

            Whereas a cat is aloof and arrogant and does what it damn well pleases. Just like Windows.

            As with cats, all Windows computers should be euthanized...

            1. Anonymous Coward
              Anonymous Coward

              Re: Dear Linux user..

              Why do people reply with posts like this? It's like reading an article about a cat problem, and posting just to tell people that you own a dog, and dogs don't get feline infections.

              A more apt description has never been made.

              Linux is yappy and bites you? And needs lots of attention?

            2. TimeMaster T
              Meh

              Re: Dear Linux user..

              "As with cats, all Windows computers should be euthanized..."

              Agree with last part. Disagree with first.

          4. Stig2k

            Re: Dear Linux user..

            Linux users have an odd definition of the word 'free' too

            Linux is only 'free' if your time is worthless.

            1. Teiwaz Silver badge

              Re: Dear Linux user..

              Personally, my time is too valuable to spend it using windows unless paid to.

              My personal data too valuable to give away to microsoft to flog (don't use many google products either)

          5. swampdog

            Re: Dear Linux user..

            sudo yum list | egrep "rar|zip" | grep installed | awk -F'.' '{print $1}' | awk -F'-' '{print $1}' | sort | uniq

            bzip2

            gzip

            p7zip

            rar

            unrar

            unzip

            zip

            ..and tada! The dog is eating catfood.

            1. Rick Giles
              Mushroom

              Re: Dear Linux user..

              ..and tada! The dog is eating catfood.

              But it has to have some wine to swallow the cat(Windows)food(programs)...

          6. Teiwaz Silver badge

            Re: Dear (non) Linux user..

            It's more likely the other way round. Linux is a products for cats. Windows is for when you must be part of the pack.

            You only have to look at linux forums to see the old line about 'herding cats' is well mirrored.

            Over all I'd rather be a cat than a dog, rather a goat than a sheep.

            1. Rick Giles
              Trollface

              Re: Dear (non) Linux user..

              rather a goat than a sheep.

              Don't insult the sheep by comparing them to Windows users...

        2. Anonymous Coward
          Anonymous Coward

          > 2. Linux is highly unlikely to be infected by a contagion designed for Windows.

          True, but Windows is unlikely to be infected by malware designed for linux, such as whatever infected these little beauties.

          Have you looked at your outgoing data usage recently?

          1. Alistair Silver badge

            Urrrrrrrrrrm.

            Stupid passwords are a problem on all OSes, thats not a code vuln dude.

          2. Rick Giles
            Trollface

            True, but Windows is unlikely to be infected by malware designed for linux, such as whatever infected these little beauties.

            As with all tools, if you don't learn to properly use it, you are going to end up hurting/killing yourself or others.

            Besides, that was Asia. Must have burnt down some phone lines an modem banks...

          3. swampdog

            That vuln is equivalent to you using "Administrator" or "password" as the password for an administrator account under windoze. It can be fixed thusly..

            sudo cat /etc/ssh/sshd_config | egrep "PermitRoot|PasswordA" | egrep -v "^#"

            PermitRootLogin no

            sudo /etc/init.d/sshd restart

            ..and the reason it exists in the first place is because linux often runs on headless machines. You need to get into those remotely at least once in order to set up the real account through which you will always subsequently connect (also: "PasswordAuthentication no").

        3. Captain Scarlet Silver badge

          I unpack everything on Windows, because:-

          1. I'm lazy

          Also a 7zip user here, although I tend to use other open source projects like Peazip if I think someone will get confused by it.

        4. ItsNotMe
          FAIL

          @Rol

          "Linux won the day as the more secure alternative to Windows, but now its popularity has made it vulnerable, according to Akamai."

          "Malware that has hijacked Linux systems for the past year has been recorded flooding targeted websites at speeds of over 150Gbps."

          "The key takeaway, however, is that attackers aren't only using Windows these days to build botnets - and Akamai warns that this particular example is just part of a wider trend that may have been made possible because Linux was seen as more secure than Windows, causing companies to adopt Linux. So today there are enough Linux systems to make it worthwhile to pick low-hanging Linux fruit, namely poorly configured systems."

          http://www.zdnet.com/article/linux-powered-botnet-generates-giant-denial-of-service-attacks/

          That's it kid...keep your Linux head in the sand...loser.

          1. Rol Silver badge

            Re: @Rol

            Ha ha ha , you're so funny. Are you twelve or suffering some mental disorder?

            Or both?

            How can I pay sweet FA for a proper operating system that has never failed me and be a loser?

            Conversely, how can you pay top dollar for a steaming pile of crap and think you're somehow a winner?

      2. Anonymous Coward
        Anonymous Coward

        Reverse engineered? You have no clue, do you? How about checking out the full details of RAR5 on the WinRAR site, or indeed the freely distributed UnRAR code?

    3. AMBxx Silver badge
      Boffin

      7-zip

      Another happy 7-zip user here. I just wish they'd drop the Beta tag on every release for the last 5 years.

    4. hailbaal

      It's free, it's faster, it offers more features, it's better to look at and it's opensource. Can't beat that!

  2. Ben Liddicott

    WARNING: Executable code may execute code

    These are executables. Clue is in the acronym: SFX = Self Extracting Executable

    So this amounts to: If you can persuade a user to execute an executable, then that executable can execute code embedded in the executable. Like all executables. So this buys you nothing you don't already have.

    Not every bug is a security bug. #notavulnerability

    1. Ben Liddicott

      Re: WARNING: Executable code may execute code

      "press release" by security researcher mindlessly regurgitated by supposedly reputable sources:

      MalwareBytes: Here the very first comment points out who daft it is.

      PacketStorm

      And yet twitter is going wild with people mindlessly retweeting this as if they discovered it.

    2. Mongo

      Re: WARNING: Executable code may execute code

      Bravo! Iwondered if El Reg had elided some critical step but nope, his PoC really does say "open the SFX".

      Is this a deliberate ploy by Iran to make us underrate their hackers?

    3. ShelLuser

      @Ben

      If you can persuade a user to execute an executable, then that executable can execute code embedded in the executable.

      Actually it goes deeper than that. Because people who don't trust these executables also have the option to right click and "open in archiver". Then WinRAR gets started and it'll display the archives contents, and will also provide options to extract it. Many people who don't trust the executable often use this method instead.

      Yet that can now also result in issues.

      1. Prst. V.Jeltz Silver badge

        Re: @Ben

        true , sometime you peek in a self extractor without running it.

        but at the end of the day , any files you find that have been compressed with Rar (.exe or .rar) are probly malicious anyway.

        I expect 7zip will eat away at winzip & rars market sahre steadily till its got 90%

        1. Captain Underpants

          @ Prst. V.Jeltz

          For stuff found on random websites, I guess.

          Although in a former role I spent some time defining workflows for packaging software installers into SFX files. This was required because some packages we had to deploy required scripted pre- and post-install cleanup tasks (think along the lines of how Java or Skype used to either not remove old versions or wig out on you if you had certain previous releases installed, requiring you to manually uninstall them before proceeding), and the software distribution system in question could accept compressed files - but only on the proviso that, when extracted, the installation command were something like "setup.exe"; it had no method for coping with scripts of any kind that I could find.

          7zip is a thing of beauty as far as I'm concerned. I know Windows 10 and PowerShell 5 have finally introduced CLI support for archive-manipulation tasks but I've been very happy knowing that I can compress or extract files as part of a script using 7zip.

        2. Eddy Ito Silver badge

          Re: @Ben

          The problem is that the typical user doesn't care about 7z, zip, rar, bz2 or anything else, they want to open the file which is why self extracting archives exist in the first place. They don't want to deal with decoding file extensions and finding the appropriate utility to open it. This is doubly true since MS turned file extension visibility off by default. The only time you'll find a specific utility on machine is if a particular format is popular in some region where the user frequents and it isn't handled natively by the OS. The only way 7zip has a hope of gaining a 90% share is if MS and Apple support it natively.

      2. dan.s

        Re: @Ben

        "Yet that can now also result in issues."

        No it can't. Opening an SFX with WinRAR to display and extract its contents doesn't display embedded HTML comments using embedded IE. Get a clue before commenting, willya?

    4. Anonymous Coward
      Anonymous Coward

      Re: WARNING: Executable code may execute code

      Agreed however for your average user if they download a rar with the executable from a semi-trusted source e.g. newsgroups/torrents used previously with no problem then the temptation to click will be higher depending on how much they want whatever it is they have downloaded. Also your average user will be unaware of this issue as it probably won't be reported in mainstream news.

      1. Prst. V.Jeltz Silver badge

        Re: WARNING: Executable code may execute code

        They should be using my 2nd rule of computing - "learn what a file extension is , unhide them ,and use them to determine what you are doing"

        1st rule is "learn what a filepth is " , so you can find the shit you saved

        1. Fibbles

          Re: WARNING: Executable code may execute code

          Your second rule fails on operating systems where file extensions aren't obligatory.

          I.e. pretty much everything that isn't Windows.

    5. Frumious Bandersnatch Silver badge

      Re: WARNING: Executable code may execute code

      Well yeah, but no, but yeah.

      It all depends on whether the routine to display the sfx text is only called when running the output exe program or if it's called in the normal run of displaying the archive contents. Both the article and the vulnerability description just mention "opening" the archive and it's ambiguous what's meant by this.

    6. darklordsid

      Re: WARNING: Executable code may execute code

      The issue is the code is sneaked in due a fault in the way sfx "text and icon" data is assembled by WinRar.

      I agree that no one is in error if distrusts any unknown executable from any unknown source, but the point is that the vulnerability allows to easily add executing code where it should not be.

      In any case I would generally recommend Open Source software like 7-Zip, PeaZip (can open also RAR5 archives), p7zip... rather than closed source ones, as code audit is easier (not burdened neither by i.p. issues nor hampered from unavailability of the full code base) and security issues are usually found and fixed faster.

  3. Velv Silver badge
    Pirate

    Nice of Mohammed to publish it straight to the wild instead of giving the authors a chance to remedy any vulnerability prior to release (90 days notice?). (the article doesn't mention any notice being given)

    Aiding and abetting criminal behaviour by showing open doors to criminals. Don't get me wrong, vulnerabilities need exposed, but it should be done in a controlled manner that minimise the risk of widespread exploitation to further compromise the Internet

    1. Anonymous Coward
      Anonymous Coward

      1) It's not a vulnerability.

      2) He seems to have stolen the POC code anyway so that tells you all you want about his integrity and intellect.

  4. Pascal Monett Silver badge
    Thumb Down

    "software download sites like CNET and Softpedia"

    Who never give you a link to the file you wish to download, but link to a wrapper that has to install on your PC and launch in order to download.

    I know how to download. You know I know how to download. You putting a wrapper in there has sod all to do with "enhancing the user experience" and everything to do with sucking private data from me.

    I never download from any site that forces a wrapper on me. There is literally no good reason for that behavior.

    Besides, I've been using 7zip for years now. That's not going to change.

    1. dogged
      Thumb Up

      Re: "software download sites like CNET and Softpedia"

      Agreed on all counts.

    2. Shades

      Re: "software download sites like CNET and Softpedia"

      I've found that if you look carefully enough (and I mean very carefully) there is usually a link to directly download a file hidden somewhere amongst all the crappy in your face attempts to get you to download their "installer" first. I know I've downloaded stuff from the aforementioned sites and never ever installed the sites own "installers".

      1. Anonymous Coward
        Anonymous Coward

        Re: "software download sites like CNET and Softpedia"

        Even those fine print links were put in AFTER the internet exploded in justifiable anger against such seedy practices.

  5. Proud Father

    A real shame, but it happens.

    I have followed WinRAR for a long time, ever since I bought a license in fact.

    The code quality by the author is excellent, the alpha builds are more stable and bug free then some 'release' software I could mention.

    There is currently a version 5.30 beta 4 so I'm sure the fix will be applied pretty quickly.

    1. Anonymous Coward
      Anonymous Coward

      Re: A real shame, but it happens.

      No fix required since it's not a vulnerability in the first place.

  6. Anonymous Coward
    Anonymous Coward

    My Curiosity

    I have asked this question of various students for at least 10 years. "What do you use to open .RAR files?" I know the answer before they reply, I then say "Use 7zip instead" http://www.7-zip.org/

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019