Leaderboard

Winrar is one of the most common application for compressing and decompressing data. The application is capble of compressing data as rar or as zip format. This Article is going to present a new Vulnerability that i found at WINRAR version 4.20 (other version maybe vulnerable to). Here is a quick brief of the zip file format: So by the file format descriptor, we can see that the Bits at offset 30 are referred to the file name of the compressed file. When we try to compress the file as "ZIP Format" with WINRAR, the file structure looks the same, but! WINRAR adds several properties of its own. For example let's look at a text file called "TEST1.txt" that contains the data "AAAAA" after it compressed as zip with WINRAR: In the example above it can be noticed that WINRAR add extra "file name" into the compressed file. Further analysis reveals that the second name is the "File Name" of the file, that WINRAR will give to the output uncompressed file, while the First name is the name that appears at the WINRAR GUI window. QUESTION: so what happens if the first name and the last name are different? ANSWER: WINRAR will show the spoofed file name, while after decompression the user will get the real file name. This Behavior can easily turned into a very dangerous security hole. Think about a hacker that publish some informative "txt" file called "ReadMe.txt" or even PDF like "VirusTotal_ScanResults.pdf" or more tempting file like"My Girl Friend new bathing suit.jpg". Think about an innocent user that will open that file and instead of getting readme file, PDF book or interesting image, he will get a nasty Trojan Horse... So let's start and build a nasty POC 1: First we goanna take some nasty file (just kidding) that will popup "PWNED" message. 2: Second we will compress it with WINRAR by choosing "WINZIP" method.2: Second we will compress it with WINRAR by choosing "WINZIP" method. 3:Finally wewill open the ZIP file with an hex editor, change the second name only, to the fake name we chose (MyPrivateImage.jpg) and save it as ZIP file. The result will be a nasty WINRAR file that shows you an image file, when you double click it, the nasty binary file will execute: This by itself is a very problematic behavior of WINRAR, but what about those people that aren't double clicking files from WINRAR windows? yes... the "Extract here" people :\ If they will see a file that called " MyPrivateImage.jpg " turning into " MyPrivateImage.exe " , well.... they will start worry Don't be afraid, for this purpose we can combine other known vulnerability for windows. This Vulnerability called "Unicode RLO Spoofing". In this technique we use the RLO Unicode character. ( Read about it here: Unicode Character 'RIGHT-TO-LEFT OVERRIDE' (U+202E)). This character can easily confuse windows to present the file "Fede.jpg.exe" into "Fedexe..jpg". Combination of these two vulnerabilities can get you the near perfect File spoofing ever When you look at it in WINRAR, you will see FEDEX.jpg And when you extract it, you will see Fedexe..jpg No matter where you run the file from , YOU'll GET PWNED ! Sursa:An7isec