Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potential security vulnerability in ACE extraction #132

Closed
jyrkive opened this issue Feb 22, 2019 · 1 comment

Comments

Projects
None yet
2 participants
@jyrkive
Copy link
Contributor

commented Feb 22, 2019

A couple of days ago Check Point Research found a vulnerability in unacev2.dll: a specially crafted ACE archive can be made that, when extracted, plants files anywhere in the host system, outside the target folder. Their whole write-up is here: https://research.checkpoint.com/extracting-code-execution-from-winrar/

UniExtract2 uses XAce Plus for ACE extraction instead of unacev2.dll, but I'd guess that it's also vulnerable.

The developer of WinAce apparently went bankrupt in 2017 and thus there won't be any more updates, security or otherwise, for ACE extractors. I think it would be best to just remove ACE extraction functionality completely to keep users safe.

@Bioruebe

This comment has been minimized.

Copy link
Owner

commented Mar 6, 2019

Thanks for reporting!

I tested the POC archive and surprisingly XAce does not seem to be affected by these malicious files. On one of my test systems XAce crashed, but at least no files were written outside the output directory.

I think it is safe enough to keep XAce for now, but I will investigate switching to acefile as it is actively maintained.

@Bioruebe Bioruebe closed this in bd051b3 Apr 30, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.