In August 2023, cybersecurity researchers uncovered a serious vulnerability in WinRAR, the well-known file archiver by RARLAB, which could let hackers run code on your computer. Tracking as CVE-2023-40477 (also identified by Trend Micro as ZDI-CAN-21233), the flaw targets WinRAR’s recovery volume feature. If you use WinRAR to manage compressed files, this article breaks down what you need to know, how the attack works, and the technical details—with examples and reference links.
What Is the Vulnerability?
CVE-2023-40477 is a remote code execution (RCE) vulnerability due to improper validation of an array index when processing "recovery volumes" (.rev files) in WinRAR. Recovery volumes help users restore broken or missing parts of multi-part RAR archives.
The flaw lets an attacker craft a malicious recovery volume file which, when opened, makes WinRAR access memory it’s not supposed to. This can let the attacker run arbitrary code on your machine. The scary part: It only takes opening a booby-trapped file or visiting a harmful page for your computer to be at risk.
Victims download this file or receive it as an email attachment.
- WinRAR, upon opening and processing the file, fails to check if the array index it reads from the file is within valid bounds.
This results in out-of-bounds memory access (reading or writing outside the allowed space).
- If done right, the attacker can make WinRAR execute arbitrary commands or code, giving them control over the system within the context of the running user.
Key Note:
User interaction is necessary. The victim must open the file or interact with it (like previewing in a file explorer that calls WinRAR in the background).
Here's a simplified pseudocode to show how a bug like this works (note: not the actual WinRAR code)
// Assume arr is an array of fixed size N
int arr[N];
int read_index_from_user_file(FILE* file) {
int idx;
fread(&idx, sizeof(int), 1, file); // Read index from attacker-controlled file
// BAD: No check if idx is within ..N-1
arr[idx] = x41; // Vulnerable line: If idx < or idx >= N, this writes out of bounds
}
What went wrong?
The code should check if idx is within valid bounds ( <= idx < N), but it doesn’t.
Proof-of-Concept (PoC)
A real exploit would require building a malicious .rev file that places out-of-range index values at the required field. Upon opening, WinRAR will misbehave and, if conditions are right, the attacker gains control.
Below is *symbolic*—just to show the idea, not a working exploit
with open('malicious.rev', 'wb') as f:
f.write(b'RECOVERY-HEADER') # Fake header
f.write((9999).to_bytes(4, 'little')) # Malicious large index
f.write(b'\x00' * 100) # Padding
# Add more fields as required by .rev structure, with malicious values
The attacker then tricks someone into opening this file with WinRAR.
Data Theft, Malware Installation: The attacker can install malware, steal files, steal passwords
- Wide Attack Surface: Affects all unpatched WinRAR on Windows; extremely popular in enterprises and for home users
Official Advisory and Patch
- Original Advisory: Zero Day Initiative ZDI-23-1152
- RARLAB Security Page: WinRAR Vulnerabilities
- NIST CVE-2023-40477 Entry
Status: Fixed in WinRAR version 6.23 (released August 2023)
Patch Info:
>"WinRAR 6.23 addresses a security issue that could allow execution of arbitrary code when processing recovery volumes (REV files) with malformed data."
What Should You Do?
If you use WinRAR:
Reference Links
- WinRAR Download Page (for latest safe version)
- NVD CVE-2023-40477
- ZDI-23-1152 Advisory (original technical write-up)
- Mitre CVE Record
Wrap-Up
CVE-2023-40477 exposes millions of WinRAR users to serious risk just by opening the wrong file. The bug is a classic case of not validating input, which allows memory access beyond safe regions—something attackers love to exploit. If you haven’t already, update WinRAR now and remind others to do the same. Stay safe!
*If you want a deeper technical dive or have questions, let us know below!*
Timeline
Published on: 05/03/2024 03:15:20 UTC