tomyk Posted March 26, 2014 Report Share Posted March 26, 2014 Winrar is one of the most common application for compressing and decompressing data.The application is capble of compressing data as rar or as zip format.This Article is going to present a new Vulnerability that i found at WINRAR version 4.20(other version maybe vulnerable to).Here is a quick brief of the zip file format:So by the file format descriptor, we can see that the Bits at offset 30 are referred tothe file name of the compressed file.When we try to compress the file as "ZIP Format" with WINRAR, the file structure looksthe same, but! WINRAR adds several properties of its own.For example let's look at a text file called "TEST1.txt" that contains the data "AAAAA" afterit compressed as zip with WINRAR:In the example above it can be noticed that WINRAR add extra "file name" into the compressed file.Further analysis reveals that the second name is the "File Name" of the file, that WINRAR will give tothe output uncompressed file, while the First name is the name that appears at the WINRAR GUIwindow.QUESTION: so what happens if the first name and the last name are different?ANSWER: WINRAR will show the spoofed file name, while after decompression the user will get the real file name.This Behavior can easily turned into a very dangerous security hole.Think about a hacker that publish some informative "txt" file called "ReadMe.txt" or evenPDF like "VirusTotal_ScanResults.pdf" or more tempting file like"My Girl Friend new bathing suit.jpg".Think about an innocent user that will open that file and instead of getting readme file, PDF bookor interesting image, he will get a nasty Trojan Horse...So let's start and build a nasty POC1: First we goanna take some nasty file (just kidding) that will popup "PWNED" message.2: Second we will compress it with WINRAR by choosing "WINZIP" method.2: Second we will compress it with WINRAR by choosing "WINZIP" method.3:Finally wewill open the ZIP file with an hex editor, change the second name only, to the fake name we chose (MyPrivateImage.jpg) and save it as ZIP file.The result will be a nasty WINRAR file that shows you an image file, when you double click it, the nasty binary file will execute:This by itself is a very problematic behavior of WINRAR, but what about those peoplethat aren't double clicking files from WINRAR windows?yes... the "Extract here" people :\If they will see a file that called " MyPrivateImage.jpg " turning into " MyPrivateImage.exe " , well.... they will start worry Don't be afraid, for this purpose we can combine other known vulnerability for windows.This Vulnerability called "Unicode RLO Spoofing".In this technique we use the RLO Unicode character.( Read about it here: Unicode Character 'RIGHT-TO-LEFT OVERRIDE' (U+202E)).This character can easily confuse windows to present the file "Fede.jpg.exe" into"Fedexe..jpg".Combination of these two vulnerabilities can get you the near perfect File spoofing everWhen you look at it in WINRAR, you will see FEDEX.jpgAnd when you extract it, you will see Fedexe..jpgNo matter where you run the file from , YOU'll GET PWNED !Sursa:An7isec 1 Quote Link to comment Share on other sites More sharing options...
Kzz Posted March 29, 2014 Report Share Posted March 29, 2014 Am incercat pe WinRar version 5.01 si nu se comporta la fel. Desi apare ca jpeg in GUI, la dublu click se deschide programul default de vizualizare a pozelor. Quote Link to comment Share on other sites More sharing options...
B3st Posted April 3, 2014 Report Share Posted April 3, 2014 Nu este 0day, e un vechi exploit care merge doar pe versiunea 4.20.Indianu ala se da mare aiurea .. Quote Link to comment Share on other sites More sharing options...
HackXBack Posted June 1, 2014 Report Share Posted June 1, 2014 it work but it give errorhttp://puu.sh/9aVbx/b33ceea659.jpg Quote Link to comment Share on other sites More sharing options...