Summary

Executable files are potentially dangerous by design. Run them only if they are received from a trustworthy source. WinRAR self-extracting (SFX) archives are not less or more dangerous than other exe files.

Description

As reported by http://seclists.org/fulldisclosure/2015/Sep/106, it is possible to create SFX archive with a specially crafted HTML text, which, if started as executable, will download and run an arbitrary executable on a user computer. Extracting such SFX archive with WinRAR is still safe. Let's see if it creates any additional risks for users.

WinRAR self-extracting archive is an executable file.

User is not able to easily verify if executable part is a genuine WinRAR SFX module or some other code, so any malicious code can be included immediately to executable module of SFX archive. Malicious hacker can take any executable, prepend it to archive and distribute to users. This fact alone makes discussing vulnerabilities in SFX archives useless.

Also SFX module provides the official documented function to run any executable file contained in SFX archive on a user computer, so there is no need to implement hackish ways to achieve the same. This can be done with "Setup" script command or its "Setup program/Run after extraction" WinRAR GUI equivalent. "Silent" script command or its "Silent mode/Hide start dialog" WinRAR GUI equivalent allow to skip the start dialog, so an archived executable will be started immediately, without user intervention. "Overwrite" script command helps to avoid the overwrite prompt in case an extracted file already exists. "Path" command specifies a name of folder in "Program Files" to store unpacked files.

It is useless to search for supposed vulnerabilities in SFX module or to fix such vulnerabilities, because as any exe file, SFX archive is potentially dangerous for user's computer by design. As for any exe file, users must run SFX archives only if they are sure that such archive is received from a trustworthy source. SFX archive can silently run any exe file contained in archive and this is the official feature needed for software installers.

In other words, instead of that complicated proof of concept video mentioned in the report linked above, it would be simpler to place putty.exe into RAR SFX archive and add following commands to archive comment:

Setup=putty.exe
Silent
Overwrite
Path=puttyfolder

If downloading from Internet is preferred, a tool to download and run an executable from the net can be also specified in "Setup" command.

Taking all this into account, we can say that limiting SFX module HTML functionality would hurt only those legitimate users, who need all HTML features, making absolutely no problem for a malicious person, who can use previous version SFX modules, custom modules built from UnRAR source code, their own code or archived executables for their purpose. We can only remind users once again to run exe files, either SFX archives or not, only if they are received from a trustworthy source.