WinRAR flaw lets attackers trick users with ANSI escape sequences

TLDR:

• A critical vulnerability, tracked as CVE-2024-36052, has been discovered in WinRAR
• Attackers can deceive users by using ANSI escape sequences in file names within ZIP archives

A critical vulnerability has been discovered in WinRAR, a popular file compression and archiving utility for Windows. The flaw, tracked as CVE-2024-36052, affects WinRAR versions prior to 7.00 and allows attackers to spoof the screen output using ANSI escape sequences. The issue arises from WinRAR’s lack of proper validation and sanitization of file names within ZIP archives. Siddharth Dushantha identified the vulnerability. When a specially crafted ZIP archive containing a file with ANSI escape sequences in its name is extracted using WinRAR, the application fails to properly handle the escape sequences. Instead, it interprets them as control characters, allowing attackers to manipulate the displayed file name and potentially trick users into running malicious files.

ANSI escape sequences are special codes used to control the formatting and appearance of text in command-line interfaces and terminals. Most sequences start with an ASCII escape character (ESC, \x1B) followed by a bracket character ([) and are embedded into the text. By crafting malicious archives containing these sequences, attackers can manipulate the displayed output and deceive users into believing they are opening a harmless file, such as a PDF or image. When a user attempts to open the seemingly benign file from within WinRAR, the vulnerability is triggered due to improper handling of file extensions. Instead of launching the expected file, WinRAR’s ShellExecute function receives an incorrect parameter and executes a hidden malicious script, such as a batch file (.bat) or command script (.cmd), Dushantha said. This script can then install malware on the victim’s device while simultaneously displaying the decoy document to avoid raising suspicion.

It’s important to note that this vulnerability is specific to WinRAR on Windows and differs from CVE-2024-33899, which affects WinRAR on Linux and UNIX platforms. WinRAR’s Linux and UNIX versions are also susceptible to screen output spoofing and denial-of-service attacks via ANSI escape sequences. To mitigate the risk posed by this vulnerability, users are advised to update to WinRAR version 7.00 or later, which includes a fix for the issue. Additionally, exercising caution when opening archives from untrusted sources and enabling file extension visibility in Windows can help prevent this type of attack. The vulnerability was publicly disclosed on May 23, 2024, and it is crucial for WinRAR users to take immediate action to protect their systems from potential exploitation by malicious actors.