Bitcoin Forum
August 23, 2019, 10:31:39 AM *
News: Latest Bitcoin Core release: 0.18.0 [Torrent] (New!)
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Winrar exploit - update now  (Read 353 times)
o_e_l_e_o
Hero Member
*****
Offline Offline

Activity: 658
Merit: 2554



View Profile
March 08, 2019, 07:44:45 PM
Last edit: March 08, 2019, 09:12:09 PM by o_e_l_e_o
Merited by suchmoon (4), dbshck (4), pooya87 (2), ETFbitcoin (1), LoyceV (1), leowonderful (1), wwzsocki (1), yesiam6 (1), BitCryptex (1), DdmrDdmr (1)
 #1

Saw this post on reddit earlier: https://www.reddit.com/r/Bitcoin/comments/ayoz1k/hey_everybody_patch_your_winrar_or_lose_coins/

Long story short, there is an exploit in Winrar which allows an attacker to deploy a .exe file to your startup folder whenever you extract an archive, thereby automatically executing it next time you restart. This is obviously a massive risk to anyone who holds coins in a desktop wallet. You should update Winrar immediately to the latest version from here: https://www.rarlab.com/download.htm. Alternatively delete Winrar altogether and use 7zip instead (but don't be fooled in to thinking that any piece of software is completely safe). Edit: As NeuroticFish points out below, 7zip also had a security vulnerability discovered last year, so if you are currently using that, you should update it too.

And if you aren't already, use a hardware wallet.

1566556299
Hero Member
*
Offline Offline

Posts: 1566556299

View Profile Personal Message (Offline)

Ignore
1566556299
Reply with quote  #2

1566556299
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1566556299
Hero Member
*
Offline Offline

Posts: 1566556299

View Profile Personal Message (Offline)

Ignore
1566556299
Reply with quote  #2

1566556299
Report to moderator
ETFbitcoin
Legendary
*
Offline Offline

Activity: 1736
Merit: 1980

Use SegWit and enjoy lower fees.


View Profile WWW
March 08, 2019, 07:48:24 PM
 #2

Additionally, even though WinRAR is paid software, you can download trial version and use it even after the trial expired. You only get a pop-up which notify trial already ended everytime you open WinRAR.

NeuroticFish
Legendary
*
Offline Offline

Activity: 1946
Merit: 1279


There are no mistakes. Only opportunities wasted.


View Profile
March 08, 2019, 08:19:59 PM
Merited by suchmoon (4), hugeblack (1), o_e_l_e_o (1)
 #3

You only get a pop-up which notify trial already ended everytime you open WinRAR.

I've used WinRAR like that for a number of years, but it didn't feel OK. Now I use 7zip. It's free and it's as good as WinRAR.

Alternatively delete Winrar altogether and use 7zip instead (but don't be fooled in to thinking that any piece of software is completely safe).

If you (we) advertise 7zip, it's fair to tell that 7zip also had a nasty vulnerability last year, so if anybody still has an ancient version of 7zip, that needs update too.

wwzsocki
Hero Member
*****
Offline Offline

Activity: 1022
Merit: 827


LiveCoin - is a modern stock exchange


View Profile WWW
March 09, 2019, 12:50:35 PM
 #4

Thank you @o_e_l_e_o, I am actually using an old version of WinRar on my desktop together with my wallets so yes I am/was affected for sure.

I am out of merits right now but when I only get my first smerit he will fly your way as soon as possible.

You only get a pop-up which notify trial already ended everytime you open WinRAR.

If anybody wants to use WinRar legally the price excluding VAT is € 29,95 and this is a lifetime license.

I think it should be freeware especially for personal use, not shareware because of 7zip and other programs like this which are all gratis. Winrar is the only one paid in this group.

█████████▄           ▄█
▀██▄         ██
▀██▄    ▄▄ ██
▀███ ███ ██
█████████▄        ▀▀ ██
▀██▄      ▄▄ ██
▄█████████ ███ ██
▄██▀          ▀▀ ██
████
█▀            ▄▄ ██
▄██ ███ ██
▄██▀   ▀▀ ██
▄██▀        ██
███████████▀          ▀█




▄▄█
█████
█████
█████
█████
█████

█████

█████

█████


▄▄█
█████
█████
█████
█████
█████
█████
█████

█████

█████

█████
▄▄█
█████
█████
█████
█████
█████
█████
█████
█████
█████

█████

█████

█████
█▄           ▄█████████
██         ▄██▀
██ ▄▄    ▄██▀
██ ███ ███▀
██ ▀▀        ▄█████████
██ ▄▄      ▄██▀
██ ███ █████████▄
██ ▀▀          ▀██▄
██ ▄▄            ▀█████
██ ███ ██▄
██ ▀▀   ▀██▄
██        ▀██▄
█▀          ▀███████████
Awesomus Maximus
Member
**
Offline Offline

Activity: 392
Merit: 66


View Profile
March 09, 2019, 12:56:46 PM
 #5

If you (we) advertise 7zip, it's fair to tell that 7zip also had a nasty vulnerability last year, so if anybody still has an ancient version of 7zip, that needs update too.

Thanks for the warning! I have given up on winrar a long time ago, using 7zip as a substitute. But, I haven't updated in a while, so again thanks for this information.
hugeblack
Hero Member
*****
Offline Offline

Activity: 784
Merit: 633


Bitcoin is my stable coin. Eid Mubarak


View Profile
March 09, 2019, 05:58:38 PM
 #6

Is it not strange that hacker attacks are becoming in popular applications that we replicate frequently and trust them by default? "Metamask, MEGA,...etc"

If you (we) advertise 7zip, it's fair to tell that 7zip also had a nasty vulnerability last year, so if anybody still has an ancient version of 7zip, that needs an update too.
Thank you, I'm using a very old version of that application and I have not updated it for a while.
I did not have a problem with that app but it's better to update it. Thanks for the warning

o_e_l_e_o
Hero Member
*****
Offline Offline

Activity: 658
Merit: 2554



View Profile
March 09, 2019, 07:48:36 PM
Merited by iasenko (1)
 #7

Is it not strange that hacker attacks are becoming in popular applications that we replicate frequently and trust them by default? "Metamask, MEGA,...etc"
It's very concerning. The WinRAR exploit was from a .dll file which hadn't been updated in 14 years. WinRAR did not have access to this .dll file's source code, so they just had to drop it altogether in the latest update. It's kind of similar to the CoPay wallet hack last year, where someone was granted admin rights to a unmaintained dependency of the wallet, and the wallet then pulled in the malicious code. Even if you completely trust the writers of the program you are using, and even if you look at the code yourself, it becomes an impossible task to personally audit every dependency/file for every piece of software.

It makes a really good argument for hardware wallets.

Crypto Girl
Sr. Member
****
Offline Offline

Activity: 966
Merit: 290

|| COMMUNITY x BOUNTY MANAGEMENT ||


View Profile WWW
March 10, 2019, 08:06:12 AM
 #8

Thanks for the heads up though my hardware wallet isn't connected to my desktop that have old winrar application so I think this is at least a relief for me.

If anybody wants to use WinRar legally the price excluding VAT is € 29,95 and this is a lifetime license.
How much will be the VAT? Is it depend on the country I'm residing?
wwzsocki
Hero Member
*****
Offline Offline

Activity: 1022
Merit: 827


LiveCoin - is a modern stock exchange


View Profile WWW
March 10, 2019, 02:08:37 PM
 #9

Thanks for the heads up though my hardware wallet isn't connected to my desktop that have old winrar application so I think this is at least a relief for me.

If anybody wants to use WinRar legally the price excluding VAT is € 29,95 and this is a lifetime license.
How much will be the VAT? Is it depend on the country I'm residing?
Thanks for the heads up though my hardware wallet isn't connected to my desktop that have old winrar application so I think this is at least a relief for me.

If anybody wants to use WinRar legally the price excluding VAT is € 29,95 and this is a lifetime license.
How much will be the VAT? Is it depend on the country I'm residing?

Yes, this depends on the country You are actually residing @Crypto Girl and make the purchase from because you will be redirected to a proper page.

Additionally, I have info from Winrar page about license and program usage after 40 days of the free period.

Purchase of a WinRar license
After the forty-day trial period, you must uninstall WinRAR (Control Panel / Add or Remove Programs) or purchase a license that will allow you to continue to use WinRAR permanently and without restrictions. The WinRAR software license is for life. Prices and ordering options can be found on this page. Private individuals only need one license for all computers used in their own homes. With a single license, you can install and use the program on all computers belonging to the buyer.

You should buy a license because thanks to this:
-You are motivating us to continue working on WinRAR
-You can use WinRAR for commercial applications
-You have the right to access technical support via e-mail and WinRAR Service Centers around the world

The main licensing rules
-The license will be issued electronically, in the form of a key file, and the installation program is downloaded from the winrar website
-The WinRAR license will be issued by name in your name or company name.
-We can not change or return, cancel the license after purchase. Test WinRAR for 40 days free of charge before ordering. During the testing period, the program is fully usable and has no functional limitations.

█████████▄           ▄█
▀██▄         ██
▀██▄    ▄▄ ██
▀███ ███ ██
█████████▄        ▀▀ ██
▀██▄      ▄▄ ██
▄█████████ ███ ██
▄██▀          ▀▀ ██
████
█▀            ▄▄ ██
▄██ ███ ██
▄██▀   ▀▀ ██
▄██▀        ██
███████████▀          ▀█




▄▄█
█████
█████
█████
█████
█████

█████

█████

█████


▄▄█
█████
█████
█████
█████
█████
█████
█████

█████

█████

█████
▄▄█
█████
█████
█████
█████
█████
█████
█████
█████
█████

█████

█████

█████
█▄           ▄█████████
██         ▄██▀
██ ▄▄    ▄██▀
██ ███ ███▀
██ ▀▀        ▄█████████
██ ▄▄      ▄██▀
██ ███ █████████▄
██ ▀▀          ▀██▄
██ ▄▄            ▀█████
██ ███ ██▄
██ ▀▀   ▀██▄
██        ▀██▄
█▀          ▀███████████
Velkro
Legendary
*
Online Online

Activity: 1890
Merit: 1006


<3 Vanity Addresses :)


View Profile
March 10, 2019, 03:48:57 PM
 #10

Long story short, there is an exploit in Winrar which allows an attacker to deploy a .exe file to your startup folder whenever you extract an archive
This is so critical i can't stress this enough.
Im very suprised many security websites i tend to visit sometimes i checked and they didn't mention it yet.
Bitcoin community is first to alert people about this so fast.

o_e_l_e_o
Hero Member
*****
Offline Offline

Activity: 658
Merit: 2554



View Profile
March 10, 2019, 04:36:38 PM
Last edit: March 10, 2019, 04:57:39 PM by o_e_l_e_o
 #11

This is so critical i can't stress this enough.
Its potential implications are far wider reaching than stealing bitcoins as well. An .exe file dropped in a Windows start-up folder could achieve anything from stealing data, encrypting your hard drive and asking for a random, keylogging, you name it. With an estimated 500 million WinRAR users, and who knows how many archives being downloaded and extracted every day, it's only a matter of time before someone takes advantage of this exploit big style. I'm sure there will be many individuals, and quite a few companies, hit with an attack of some sort using this method.

Kakmakr
Legendary
*
Offline Offline

Activity: 1750
Merit: 1340

★ ChipMixer | Bitcoin mixing service ★


View Profile
March 10, 2019, 05:59:15 PM
 #12

The question is, if they are aware of the exploit, why have they not patched it and distributed the update? I have been using 7Zip and WinZip and WinRAR for years without noticing any strange behavior, but I have several AV software and Malware detection, running on my computers.

I also use several other OS like Tails and Linux for different uses, so one exploit in one software will never stop me from doing my thing. I also use Virtual machines for the testing of new software, to prevent critical infections.  Grin

Artemis3
Sr. Member
****
Offline Offline

Activity: 378
Merit: 603


★777Coin.com★ Fun BTC Casino!


View Profile WWW
March 11, 2019, 02:23:48 AM
 #13

The question is, if they are aware of the exploit, why have they not patched it and distributed the update? I have been using 7Zip and WinZip and WinRAR for years without noticing any strange behavior, but I have several AV software and Malware detection, running on my computers.

I also use several other OS like Tails and Linux for different uses, so one exploit in one software will never stop me from doing my thing. I also use Virtual machines for the testing of new software, to prevent critical infections.  Grin

7zip can open all file types, and can definitely make zip files, so there is zero reason to keep winzip and winrar. 7zip is free open source software, and that should be enough reason to give it priority.

In Linux other compression algorithms have now taken the spot, such as xz. I think 7zip can handle those too. There is 7z for Linux of course.

o_e_l_e_o
Hero Member
*****
Offline Offline

Activity: 658
Merit: 2554



View Profile
March 11, 2019, 06:26:12 AM
 #14

-snip-
The latest versions of WinZip, WinRAR, and 7zip can all support .xz files.

I agree about swapping to 7zip, but with the caveat that I pointed out in my first post, and also by NeuroticFish above - open source doesn't automatically mean safe. Always be careful.

UserU
Member
**
Offline Offline

Activity: 308
Merit: 26

Free Counter-Strike @ CSONLINE2.NET


View Profile WWW
March 11, 2019, 07:36:13 AM
 #15

Thanks for the heads up! I'll update mine ASAP.

And for something like this to happen not long after the Chrome 0-day attack, just wow...

DdmrDdmr
Hero Member
*****
Offline Offline

Activity: 588
Merit: 2574

There are lies, damned lies and statistics. MTwain


View Profile WWW
March 11, 2019, 02:41:26 PM
Last edit: March 11, 2019, 03:35:20 PM by DdmrDdmr
 #16

We should really be updating our winrar program asap if we intend to keep on using it. According to Bleeping Computer, there is already a Malspam running that exploits the rar vulnerability (see Malspam Exploits WinRAR ACE Vulnerability to Install a Backdoor).

The article depicts that a malspam campaign is distributing a malicious rar file, whose intent is to extract end-up connecting to a site and downloading various files amongst which is Cobalt Strike Beacon DLL, used by hackers to gain control to your computer

yesiam6
Hero Member
*****
Offline Offline

Activity: 1000
Merit: 508


1KoMmKPMG6xaWcqB8CPP3WJ8avRSVRHtP2


View Profile
March 13, 2019, 09:11:06 PM
 #17

Thank you very much o_e_l_e_o updated my Winrar but how could this Exploit stay undetected for 14 years.
Are there any other cases of this exploit having been used in the past?

___   __    ______     
/__/\ /__/\ /_____/\   
\::\_\\  \ \\:::_ \ \   
 \:. `-\  \ \\:\ \ \ \ 
  \:. _    \ \\:\ \ \ \
   \. \`-\  \ \\:\_\ \ \
    \__\/ \__\/ \_____\/
HCP
Legendary
*
Offline Offline

Activity: 1064
Merit: 1767

<insert witty quote here>


View Profile
March 13, 2019, 10:34:13 PM
Merited by o_e_l_e_o (1)
 #18

Thank you very much o_e_l_e_o updated my Winrar but how could this Exploit stay undetected for 14 years.
Much the same way that the Electrum "error notification" exploit went undetected for so long... basically, no-one was looking for it, so no-one found it... The exploit wasn't in WinRAR itself, but in a bundled .DLL file for the ACE archiver, that the WinRAR devs did not have access to the source code for.

To make use of this exploit, you needed to craft a malicious .ace archive (which could be renamed to .rar) that abused the way the ACE archiver dealt with file paths. Essentially, you could trick the archiver into extracting files to ANY file path, regardless of what the user selected.

The implications of this are that you could then cause an arbitrary file to be extracted to the Windows "start-up" folder that would then be executed when the computer was next restarted...


Quote
Are there any other cases of this exploit having been used in the past?
As far as I'm aware, there are no known cases of this exploit having been used prior to the current "malspam" attack that was launched after the exploit became public and the exploit generator script was published on github.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!