Potential security vulnerability in ACE extraction #132
Labels
extractor-change
Adressing this issue requires replacing an existing extractor with a new one.
Comments
Bioruebe
added
the
extractor-change
|
Thanks for reporting! I tested the POC archive and surprisingly XAce does not seem to be affected by these malicious files. On one of my test systems XAce crashed, but at least no files were written outside the output directory. I think it is safe enough to keep XAce for now, but I will investigate switching to acefile as it is actively maintained. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A couple of days ago Check Point Research found a vulnerability in unacev2.dll: a specially crafted ACE archive can be made that, when extracted, plants files anywhere in the host system, outside the target folder. Their whole write-up is here: https://research.checkpoint.com/extracting-code-execution-from-winrar/
UniExtract2 uses XAce Plus for ACE extraction instead of unacev2.dll, but I'd guess that it's also vulnerable.
The developer of WinAce apparently went bankrupt in 2017 and thus there won't be any more updates, security or otherwise, for ACE extractors. I think it would be best to just remove ACE extraction functionality completely to keep users safe.
The text was updated successfully, but these errors were encountered: