back to article Smuggle mischievous JavaScript into WinRAR archives? Sure, why not

The popular WinRAR compression software can be abused to produce self-extracting archives that execute smuggled-in JavaScript code when decompressed. A proof-of-concept exploit to pull off the trick has been published, and its creator reckons it works on all versions of WinRAR. It's not quite the end of the world, though: …

  1. Zmodem

    good job 7zip has better compression ratio`s on all types of files

    1. Anonymous Coward
      Anonymous Coward

      Indeed.

      I recall doing a factory restore on a netbook the other week, one of the factory bundled applications was WinRAR. I downloaded 7-zip and uninstalled WinRAR just out of principle (WinRAR is commercial shareware, 7-zip is opensource freeware).

      Looks like it was the right decision.

    2. Anonymous Coward
      Anonymous Coward

      Yes, there is only one time I use WinRAR these days, and that's when I encounter a RARv5 archive, as they can (at present) only be decompressed by genuine RAR products. Once the format is reverse-engineered, then perhaps I can abandon this product again.

      1. Rol

        I unpack everything in Linux, because:-

        1. Linux has all the tools needed for free

        2. Linux is highly unlikely to be infected by a contagion designed for Windows.

        3. Linux has all the tools needed for free

        and lastly Linux has all the tools needed for free.

        1. Just Enough

          Dear Linux user..

          Why do people reply with posts like this? It's like reading an article about a cat problem, and posting just to tell people that you own a dog, and dogs don't get feline infections.

          Good for you, Mr Dog Owner, but your input is not relevant and not interesting.

          1. Rol

            Re: Dear Linux user..

            Did I mention it was free.

            1. dogged

              Re: Dear Linux user..

              So is 7zip.

              Shut up.

            2. K
              Gimp

              Re: Dear Linux user..

              "Did I mention it was free."

              That is what your mum said... were you listening in again?

          2. phil dude
            Linux

            Re: Dear Linux user..

            yes, but I might not own a cat but I can still catch the diseases it carries....

            P.

          3. Rick Giles
            Linux

            Re: Dear Linux user..

            Why do people reply with posts like this? It's like reading an article about a cat problem, and posting just to tell people that you own a dog, and dogs don't get feline infections.

            A more apt description has never been made.

            Linux is loyal like a dog and can be trained.

            Whereas a cat is aloof and arrogant and does what it damn well pleases. Just like Windows.

            As with cats, all Windows computers should be euthanized...

            1. Anonymous Coward
              Anonymous Coward

              Re: Dear Linux user..

              Why do people reply with posts like this? It's like reading an article about a cat problem, and posting just to tell people that you own a dog, and dogs don't get feline infections.

              A more apt description has never been made.

              Linux is yappy and bites you? And needs lots of attention?

            2. TimeMaster T
              Meh

              Re: Dear Linux user..

              "As with cats, all Windows computers should be euthanized..."

              Agree with last part. Disagree with first.

          4. Stig2k

            Re: Dear Linux user..

            Linux users have an odd definition of the word 'free' too

            Linux is only 'free' if your time is worthless.

            1. Teiwaz

              Re: Dear Linux user..

              Personally, my time is too valuable to spend it using windows unless paid to.

              My personal data too valuable to give away to microsoft to flog (don't use many google products either)

          5. swampdog

            Re: Dear Linux user..

            sudo yum list | egrep "rar|zip" | grep installed | awk -F'.' '{print $1}' | awk -F'-' '{print $1}' | sort | uniq

            bzip2

            gzip

            p7zip

            rar

            unrar

            unzip

            zip

            ..and tada! The dog is eating catfood.

            1. Rick Giles
              Mushroom

              Re: Dear Linux user..

              ..and tada! The dog is eating catfood.

              But it has to have some wine to swallow the cat(Windows)food(programs)...

          6. Teiwaz

            Re: Dear (non) Linux user..

            It's more likely the other way round. Linux is a products for cats. Windows is for when you must be part of the pack.

            You only have to look at linux forums to see the old line about 'herding cats' is well mirrored.

            Over all I'd rather be a cat than a dog, rather a goat than a sheep.

            1. Rick Giles
              Trollface

              Re: Dear (non) Linux user..

              rather a goat than a sheep.

              Don't insult the sheep by comparing them to Windows users...

        2. Anonymous Coward
          Anonymous Coward

          > 2. Linux is highly unlikely to be infected by a contagion designed for Windows.

          True, but Windows is unlikely to be infected by malware designed for linux, such as whatever infected these little beauties.

          Have you looked at your outgoing data usage recently?

          1. Alistair

            Urrrrrrrrrrm.

            Stupid passwords are a problem on all OSes, thats not a code vuln dude.

          2. Rick Giles
            Trollface

            True, but Windows is unlikely to be infected by malware designed for linux, such as whatever infected these little beauties.

            As with all tools, if you don't learn to properly use it, you are going to end up hurting/killing yourself or others.

            Besides, that was Asia. Must have burnt down some phone lines an modem banks...

          3. swampdog

            That vuln is equivalent to you using "Administrator" or "password" as the password for an administrator account under windoze. It can be fixed thusly..

            sudo cat /etc/ssh/sshd_config | egrep "PermitRoot|PasswordA" | egrep -v "^#"

            PermitRootLogin no

            sudo /etc/init.d/sshd restart

            ..and the reason it exists in the first place is because linux often runs on headless machines. You need to get into those remotely at least once in order to set up the real account through which you will always subsequently connect (also: "PasswordAuthentication no").

        3. Captain Scarlet Silver badge

          I unpack everything on Windows, because:-

          1. I'm lazy

          Also a 7zip user here, although I tend to use other open source projects like Peazip if I think someone will get confused by it.

        4. ItsNotMe
          FAIL

          @Rol

          "Linux won the day as the more secure alternative to Windows, but now its popularity has made it vulnerable, according to Akamai."

          "Malware that has hijacked Linux systems for the past year has been recorded flooding targeted websites at speeds of over 150Gbps."

          "The key takeaway, however, is that attackers aren't only using Windows these days to build botnets - and Akamai warns that this particular example is just part of a wider trend that may have been made possible because Linux was seen as more secure than Windows, causing companies to adopt Linux. So today there are enough Linux systems to make it worthwhile to pick low-hanging Linux fruit, namely poorly configured systems."

          http://www.zdnet.com/article/linux-powered-botnet-generates-giant-denial-of-service-attacks/

          That's it kid...keep your Linux head in the sand...loser.

          1. Rol

            Re: @Rol

            Ha ha ha , you're so funny. Are you twelve or suffering some mental disorder?

            Or both?

            How can I pay sweet FA for a proper operating system that has never failed me and be a loser?

            Conversely, how can you pay top dollar for a steaming pile of crap and think you're somehow a winner?

      2. Anonymous Coward
        Anonymous Coward

        Reverse engineered? You have no clue, do you? How about checking out the full details of RAR5 on the WinRAR site, or indeed the freely distributed UnRAR code?

    3. AMBxx Silver badge
      Boffin

      7-zip

      Another happy 7-zip user here. I just wish they'd drop the Beta tag on every release for the last 5 years.

    4. hailbaal

      It's free, it's faster, it offers more features, it's better to look at and it's opensource. Can't beat that!

  2. Ben Liddicott

    WARNING: Executable code may execute code

    These are executables. Clue is in the acronym: SFX = Self Extracting Executable

    So this amounts to: If you can persuade a user to execute an executable, then that executable can execute code embedded in the executable. Like all executables. So this buys you nothing you don't already have.

    Not every bug is a security bug. #notavulnerability

    1. Ben Liddicott

      Re: WARNING: Executable code may execute code

      "press release" by security researcher mindlessly regurgitated by supposedly reputable sources:

      MalwareBytes: Here the very first comment points out who daft it is.

      PacketStorm

      And yet twitter is going wild with people mindlessly retweeting this as if they discovered it.

    2. Anonymous Coward
      Anonymous Coward

      Re: WARNING: Executable code may execute code

      Bravo! Iwondered if El Reg had elided some critical step but nope, his PoC really does say "open the SFX".

      Is this a deliberate ploy by Iran to make us underrate their hackers?

    3. Anonymous Coward
      Anonymous Coward

      @Ben

      If you can persuade a user to execute an executable, then that executable can execute code embedded in the executable.

      Actually it goes deeper than that. Because people who don't trust these executables also have the option to right click and "open in archiver". Then WinRAR gets started and it'll display the archives contents, and will also provide options to extract it. Many people who don't trust the executable often use this method instead.

      Yet that can now also result in issues.

      1. Prst. V.Jeltz Silver badge

        Re: @Ben

        true , sometime you peek in a self extractor without running it.

        but at the end of the day , any files you find that have been compressed with Rar (.exe or .rar) are probly malicious anyway.

        I expect 7zip will eat away at winzip & rars market sahre steadily till its got 90%

        1. Captain Underpants

          @ Prst. V.Jeltz

          For stuff found on random websites, I guess.

          Although in a former role I spent some time defining workflows for packaging software installers into SFX files. This was required because some packages we had to deploy required scripted pre- and post-install cleanup tasks (think along the lines of how Java or Skype used to either not remove old versions or wig out on you if you had certain previous releases installed, requiring you to manually uninstall them before proceeding), and the software distribution system in question could accept compressed files - but only on the proviso that, when extracted, the installation command were something like "setup.exe"; it had no method for coping with scripts of any kind that I could find.

          7zip is a thing of beauty as far as I'm concerned. I know Windows 10 and PowerShell 5 have finally introduced CLI support for archive-manipulation tasks but I've been very happy knowing that I can compress or extract files as part of a script using 7zip.

        2. Eddy Ito

          Re: @Ben

          The problem is that the typical user doesn't care about 7z, zip, rar, bz2 or anything else, they want to open the file which is why self extracting archives exist in the first place. They don't want to deal with decoding file extensions and finding the appropriate utility to open it. This is doubly true since MS turned file extension visibility off by default. The only time you'll find a specific utility on machine is if a particular format is popular in some region where the user frequents and it isn't handled natively by the OS. The only way 7zip has a hope of gaining a 90% share is if MS and Apple support it natively.

      2. dan.s

        Re: @Ben

        "Yet that can now also result in issues."

        No it can't. Opening an SFX with WinRAR to display and extract its contents doesn't display embedded HTML comments using embedded IE. Get a clue before commenting, willya?

    4. Anonymous Coward
      Anonymous Coward

      Re: WARNING: Executable code may execute code

      Agreed however for your average user if they download a rar with the executable from a semi-trusted source e.g. newsgroups/torrents used previously with no problem then the temptation to click will be higher depending on how much they want whatever it is they have downloaded. Also your average user will be unaware of this issue as it probably won't be reported in mainstream news.

      1. Prst. V.Jeltz Silver badge

        Re: WARNING: Executable code may execute code

        They should be using my 2nd rule of computing - "learn what a file extension is , unhide them ,and use them to determine what you are doing"

        1st rule is "learn what a filepth is " , so you can find the shit you saved

        1. Fibbles

          Re: WARNING: Executable code may execute code

          Your second rule fails on operating systems where file extensions aren't obligatory.

          I.e. pretty much everything that isn't Windows.

    5. Frumious Bandersnatch

      Re: WARNING: Executable code may execute code

      Well yeah, but no, but yeah.

      It all depends on whether the routine to display the sfx text is only called when running the output exe program or if it's called in the normal run of displaying the archive contents. Both the article and the vulnerability description just mention "opening" the archive and it's ambiguous what's meant by this.

    6. darklordsid

      Re: WARNING: Executable code may execute code

      The issue is the code is sneaked in due a fault in the way sfx "text and icon" data is assembled by WinRar.

      I agree that no one is in error if distrusts any unknown executable from any unknown source, but the point is that the vulnerability allows to easily add executing code where it should not be.

      In any case I would generally recommend Open Source software like 7-Zip, PeaZip (can open also RAR5 archives), p7zip... rather than closed source ones, as code audit is easier (not burdened neither by i.p. issues nor hampered from unavailability of the full code base) and security issues are usually found and fixed faster.

  3. Velv
    Pirate

    Nice of Mohammed to publish it straight to the wild instead of giving the authors a chance to remedy any vulnerability prior to release (90 days notice?). (the article doesn't mention any notice being given)

    Aiding and abetting criminal behaviour by showing open doors to criminals. Don't get me wrong, vulnerabilities need exposed, but it should be done in a controlled manner that minimise the risk of widespread exploitation to further compromise the Internet

    1. Anonymous Coward
      Anonymous Coward

      1) It's not a vulnerability.

      2) He seems to have stolen the POC code anyway so that tells you all you want about his integrity and intellect.

  4. Pascal Monett Silver badge
    Thumb Down

    "software download sites like CNET and Softpedia"

    Who never give you a link to the file you wish to download, but link to a wrapper that has to install on your PC and launch in order to download.

    I know how to download. You know I know how to download. You putting a wrapper in there has sod all to do with "enhancing the user experience" and everything to do with sucking private data from me.

    I never download from any site that forces a wrapper on me. There is literally no good reason for that behavior.

    Besides, I've been using 7zip for years now. That's not going to change.

    1. dogged
      Thumb Up

      Re: "software download sites like CNET and Softpedia"

      Agreed on all counts.

    2. Shades

      Re: "software download sites like CNET and Softpedia"

      I've found that if you look carefully enough (and I mean very carefully) there is usually a link to directly download a file hidden somewhere amongst all the crappy in your face attempts to get you to download their "installer" first. I know I've downloaded stuff from the aforementioned sites and never ever installed the sites own "installers".

      1. Anonymous Coward
        Anonymous Coward

        Re: "software download sites like CNET and Softpedia"

        Even those fine print links were put in AFTER the internet exploded in justifiable anger against such seedy practices.

  5. Proud Father

    A real shame, but it happens.

    I have followed WinRAR for a long time, ever since I bought a license in fact.

    The code quality by the author is excellent, the alpha builds are more stable and bug free then some 'release' software I could mention.

    There is currently a version 5.30 beta 4 so I'm sure the fix will be applied pretty quickly.

    1. Anonymous Coward
      Anonymous Coward

      Re: A real shame, but it happens.

      No fix required since it's not a vulnerability in the first place.

  6. Anonymous Coward
    Anonymous Coward

    My Curiosity

    I have asked this question of various students for at least 10 years. "What do you use to open .RAR files?" I know the answer before they reply, I then say "Use 7zip instead" http://www.7-zip.org/

    1. Anonymous Coward
      Anonymous Coward

      Re: My Curiosity

      Until you encounter a RARv5 archive which 7zip doesn't recognize. That's why I have to keep WinRAR v5+ as a secondary target.

      PS. May drop it for PeaZip (also LGPL like 7zip) if its RARv5 plugin works...

      1. John Brown (no body) Silver badge

        Re: My Curiosity

        "Until you encounter a RARv5 archive which 7zip doesn't recognize. That's why I have to keep WinRAR v5+ as a secondary target."

        Does WinRAR not still install the rar and unrar command line tools? If it does, will unrar filename.rar|sfx or rar x filename.rar \dest\dir\ work without triggereing this bug/vuln? And likewise, will they work with a RARv5 archive?

        I ask because it's some years since I dealt with rar files on Windows and I used to download enough rar files to make it worth scriptiing batch files to test and extract them to suitable locations. I use FreeBSD these days and I've not seen a rar file that rar/unrar couldn't extract. Maybe I've just not seen a RARv5 file yet since I don't see rar files of any type very often these days<shrugs>

        1. Anonymous Coward
          Anonymous Coward

          Re: My Curiosity

          Not a bug/vuln.

          "I've not seen a rar file that rar/unrar couldn't extract"

          Duh, because the unrar code is freely provided by the RAR developer for obvious reasons.

  7. The Vociferous Time Waster

    Wait...

    You mean you can't just use the zip capability your OS already has?

    1. Ken Hagan Gold badge

      Re: Wait...

      Sadly not, because the world is full of people who think that you should avoid a widely implemented and published compression method just because an undocumented one with a single implementation is promising a percent or two improvement on some kinds of files.

  8. Anonymous Coward
    Anonymous Coward

    Re. 90 day rule

    Better to release it first, on the grounds that those in the know can simply disable the affected applications until a fix can be applied.

  9. Anonymous Coward
    Anonymous Coward

    Ah WinRAR

    The modern day Winzip.

    Has anyone here ever seen a licensed version of either product?

    Ive been in IT for 20 years and never have.

    1. Fibbles

      Re: Ah WinRAR

      I haven't installed winrar in years. Does it still allow you to be on day one billion of a thirty day trial?

  10. Anonymous Coward
    Anonymous Coward

    I thought everybody knew that

    these are self-executing extractables.

    As others quicker than me have already pointed out, the hint is in the name: execution, as in running code (from a source of unknown trustworthiness - what could possibly go wrong).

  11. badger31

    +1 for 7-zip

    It's on my list of windows essential programs (Chrome, Firefox, VLC, Programmers Notepad, etc.).

    Plus, on the rare occasions when I have downloaded an executable file, I always ask 7-zip to take a look inside, even if I trust the source, even if I don't think it's an SXF, because just in case, you know.

  12. Rick Giles
    Joke

    People

    People are stupid

    When you're a sysadmin

    Their faces are stupid

    And won't leave you alone

    My apologies to Jim Morrison...

  13. LaRock0wns

    Jumped the gun

    It looks like the author here jumped the gun on this story - http://seclists.org/bugtraq/2015/Sep/139

  14. Henry Wertz 1 Gold badge

    Why do pepole reply with posts like this? Because.

    "Why do people reply with posts like this? It's like reading an article about a cat problem, and posting just to tell people that you own a dog, and dogs don't get feline infections."

    I don't reply with posts like that (usually). But I can see why people do -- too many people comment as though it's a natural state for computers to have to be on this vigilant lookout for viruses, and spyware, and updates from the vendor that do bad things, and buggy updates, and weird software conflicts, and on and on and on. These people like to point out that this is just Windows, not the natural state of al computers.

    1. Steve Graham

      Re: Why do pepole reply with posts like this? Because.

      And, indeed, nowhere in the article was it mentioned that the vulnerability is in one Windows program, not all software which might be able to open that kind of archive.

  15. Breen Whitman

    But if winrar dies, future generations with never hear "a winrar is you"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like