Government-backed actors exploiting WinRAR vulnerability

When writing contents of the files, WinRAR performs path normalization that removes appended spaces, because Windows doesn’t allow files with trailing spaces. Finally, WinRAR calls ShellExecuteExW, passing the non-normalized path with a trailing space “%TEMP%{random_directory}poc.png_” to run the user-selected file. Internally, ShellExecute attempts to identify file extensions by calling “shell32!PathFindExtension” which fails because extensions with […]