Information

WinRAR extracts archives of ACE (.ace) format using a third party dll named unacev2.dll.
Each compressed file in an ACE archive contains “filename” field, this field of the ACE format represent the relative path to the
decompressed file (after extraction). WinRAR passes to unacev2.dll 4 pointers to callback functions which resides in WinRAR code.
These callback function are called by unacev2.dll during the extraction process and the filename field of each compressed file
is passed to this callback.
The return value form the callback functions determines if the specific compressed file is allowed to be extracted or not.
WinRAR’s callback validates the filename path by checking for “problematic characters” like paths that start with
“/” or “" and also checks for forbidden patterns such as “/../” or other similar attempts for path traversal.
Whenever it finds such patterns it returns a stop status to unacev2.dll (ACE_CALLBACK_RETURN_CANCEL).

Bug Description

A validation function (in WinRAR code) is being called before extraction of ACE archives.
The validation function inspects the filename field for each compressed file in the ACE archive.
In case the filename field is disallowed by the validator function (for example, the filename contains path traversal patterns)
The extraction operation should be aborted and no file or folder should be extracted.
However, the check of the return value from the validator function made too late (in UNACEV2.dll)
after the creation of files and folders. It prevent the write operation to the extracted files only.

This bug allows creation of an empty files outside the destination folder in disallowed names and paths.

PoC

there is a Poc file named poc.rar
upon extraction of the poc.rar via WinRAR, it ignores the destination folder and extracts an empty file named some_file.txt to “c:\windows\temp”


Attachments:
poc.rar

References:
https://research.checkpoint.com/extracting-code-execution-from-winrar/
https://www.rarlab.com/rarnew.htm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-20251