Vulnerability in RAR program

[vonegood]

Hi guys,

There was vulnerability of RAR, and was used to extract malware to startup folder without user's knowledge. The malware was distributed in pirate copy of "Ariana_Grande-thank_u,_next(2019)_[320].rar"

When a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious program is extracted to Startup folder behind the scenes. User Access Control (UAC) is bypassed, so no alert is displayed to the user. The next time the system restarts, the malware (exe file) is run.

My question is, why is UAC bypassed and how it is possible? How is it possible when you use user account? Isn't it Microsoft bug?

[Pondus]

Upload and scan file at www.virustotal.com

Post link to scan result here

[vonegood]

This is now what I asked about. I dont have this file. I am just asking here.

 “User Access Control (UAC) is bypassed after the payload gets executed, so no alert is displayed to the user. The next time the system restarts, the malware is run.”

How is it possible that UAC is bypassed?

[Pondus]

I guess it is this

Over 100 Exploits Found for 19-Year Old WinRAR RCE Bug
https://www.bleepingcomputer.com/news/security/over-100-exploits-found-for-19-year-old-winrar-rce-bug/

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/attackers-exploiting-winrar-unacev2-dll-vulnerability-cve-2018-20250/



Not detected by avast - Ariana_Grande-thank_u,_next(2019)_[320].rar - 2019-03-16 20:57:33 UTC
https://www.virustotal.com/#/file/e6e5530ed748283d4f6ef3485bfbf84ae573289ad28db0815f711dc45f448bec/detection

First Submission   2019-02-28 08:26:51
Last Submission           2019-02-28 08:26:51
Last Analysis           2019-03-16 20:57:33





Extracted Malware payload Not detected by avast -    2019-03-16 20:52:33 UTC
https://www.virustotal.com/#/file/a1c06018b4e331f95a0e33b47f0faa5cb6a084d15fec30772923269669f4bc91/detection

First Submission   2019-02-28 08:49:53
Last Submission           2019-02-28 08:49:53
Last Analysis           2019-03-16 20:52:33

[vonegood]

Yes, you are right. And how is it possible that UAC is bypassed here? Please answer this.

[Pondus]

Yes, you are right. And how is it possible that UAC is bypassed here? Please answer this.

I am not a programmer or malware analyst


But a google search may give you the answer  >>>  https://www.google.com/search?ei=U2WNXPL-OaGrmwXkraqADA&q=how+to+bypass+UAC&oq=how+to+bypass+UAC&gs_l=psy-ab.3..35i39j0l5j0i20i263j0.8023.10646..11538...0.0..0.129.654.2j4......0....1..gws-wiz.......0i71j0i67j0i203.MUhQrqiVQmY