Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Potential security vulnerability in ACE extraction #132
A couple of days ago Check Point Research found a vulnerability in unacev2.dll: a specially crafted ACE archive can be made that, when extracted, plants files anywhere in the host system, outside the target folder. Their whole write-up is here: https://research.checkpoint.com/extracting-code-execution-from-winrar/
UniExtract2 uses XAce Plus for ACE extraction instead of unacev2.dll, but I'd guess that it's also vulnerable.
The developer of WinAce apparently went bankrupt in 2017 and thus there won't be any more updates, security or otherwise, for ACE extractors. I think it would be best to just remove ACE extraction functionality completely to keep users safe.
Thanks for reporting!
I tested the POC archive and surprisingly XAce does not seem to be affected by these malicious files. On one of my test systems XAce crashed, but at least no files were written outside the output directory.
I think it is safe enough to keep XAce for now, but I will investigate switching to acefile as it is actively maintained.