Avatar von AZeuner
  • AZeuner

2 Beiträge seit 28.09.2015

Der Programmierer sagt:

Von: Eugene Roshal <roshal@rarlab.com>
Betreff: Aw: heise online: Anfrage Sicherheitslücke WinRAR
Datum: 28. September 2015 14:27:02 MESZ
An: "winrar.de || Andreas Zeuner" <zeuner@winrar.de>
Antwort an: Eugene Roshal <roshal@rarlab.com>



WinRAR self-extracting archive is an executable file.

User is not able to easily verify if executable part
is a genuine WinRAR SFX module or some other code,
so any malicious code can be included immediately to
executable module of SFX archive. Malicious hacker can take
any executable, prepend it to archive and distribute to users.
This fact alone makes discussing vulnerabilities in SFX useless.

Also SFX module provides the official documented function
to run on user computer any executable file contained
in SFX archive. This can be done with "Setup" script command
or its "Setup program/Run after extraction" GUI equivalent.
"Silent" script command or its "Silent mode/Hide start dialog"
GUI equivalent allows to skip the start dialog, so an archived
executable will be started immediately, without user intervention.
"Overwrite" command helps to avoid the overwrite prompt in case
an extracted file already exists.

It is useless to search for supposed vulnerabilities
in SFX module or to fix such vulnerabilities, because as
any exe file, SFX archive is potentially dangerous for user
computer by design. As for any exe file, users must run
SFX archives only if they are sure that such archive is received
from a trustworthy source. SFX archive can silently run any exe file
contained in archive and this is the official feature needed
for software installers.

In other words, instead of that complicated proof of concept video,
it would be simpler to place putty.exe into RAR SFX archive
and add following commands to archive comment:


Taking all this into account, we can say that limiting SFX module
HTML functionality would hurt only those legitimate users, who need
all HTML features, making absolutely no problem for a malicious
person, who can use previous version modules, custom modules built
from UnRAR source code, their own code and archived executables
for their purpose. We can only remind users to run exe files only
if they are received from a trustworthy source.


- +