John Hammond Discusses Critical WinRAR Vulnerability in New Video

In this video, John Hammond addresses a recently discovered critical vulnerability in WinRAR, a popular file compression software for Windows. The video focuses on two main questions: whether users have WinRAR installed and which version they are using. This update is crucial because a new zero-day vulnerability, exploited by threat groups like Romcom, has been identified. This vulnerability allows attackers to compromise systems using malicious archives disguised as job application documents, such as resumes or cover letters.

The vulnerability, designated as CVE-20258088, affects WinRAR versions up to 7.12. It exploits a path traversal flaw using Alternate Data Streams (ADS) specific to the NTFS file system in Windows. When users extract these malicious archives, WinRAR not only decompresses the visible file but also the hidden ADS, which can contain malicious files like DLLs or LNK shortcuts. These files are then placed in strategic directories, such as the Windows startup folder, to ensure persistence and automatic execution upon system reboot.

Hammond explains that this vulnerability was discovered by ESET's research team, which observed phishing campaigns using this technique. Attackers send emails with malicious RAR attachments, purporting to be job application documents. Once extracted, these archives deploy malicious files that can perform additional actions, such as downloading malware or executing arbitrary code.

To demonstrate this vulnerability, Hammond uses a Windows virtual machine environment to analyze a sample malicious RAR file. He shows how to use tools like VirusTotal and Any.Run to safely examine suspicious files. He also warns against using unpatched versions of WinRAR, even if updates have been applied, as attackers can bring their own vulnerable versions to exploit this flaw.

Hammond then presents a proof of concept (PoC) available on GitHub, which shows how to create a malicious RAR archive using Python scripts. This PoC manipulates the headers and blocks of the RAR archive to include ADS and path traversal, allowing arbitrary file writing on the file system. He explains the technical details of this process, including the use of integer length variables and CRC (Cyclic Redundancy Check) to ensure modifications are correctly applied.

In conclusion, Hammond emphasizes the importance of updating WinRAR to version 7.13 or later to protect against this vulnerability. He also highlights that even if WinRAR is updated, users must remain vigilant as attackers can still exploit this flaw by bringing vulnerable versions of WinRAR. The video ends with a practical demonstration of exploiting this vulnerability, showing how a malicious file can be deployed and automatically executed upon system startup.