Jump to content
tomyk

WinRar File extension spoofing ( 0DAY )

Recommended Posts

Winrar is one of the most common application for compressing and decompressing data.

The application is capble of compressing data as rar or as zip format.

This Article is going to present a new Vulnerability that i found at WINRAR version 4.20

(other version maybe vulnerable to).

Here is a quick brief of the zip file format:

image.jpg

So by the file format descriptor, we can see that the Bits at offset 30 are referred to

the file name of the compressed file.

When we try to compress the file as "ZIP Format" with WINRAR, the file structure looks

the same, but! WINRAR adds several properties of its own.

For example let's look at a text file called "TEST1.txt" that contains the data "AAAAA" after

it compressed as zip with WINRAR:

image.jpg

In the example above it can be noticed that WINRAR add extra "file name" into the compressed file.

Further analysis reveals that the second name is the "File Name" of the file, that WINRAR will give to

the output uncompressed file, while the First name is the name that appears at the WINRAR GUI

window.

QUESTION: so what happens if the first name and the last name are different?

ANSWER: WINRAR will show the spoofed file name, while after decompression the user will get the real file name.

This Behavior can easily turned into a very dangerous security hole.

Think about a hacker that publish some informative "txt" file called "ReadMe.txt" or even

PDF like "VirusTotal_ScanResults.pdf" or more tempting file like"My Girl Friend new bathing suit.jpg".

Think about an innocent user that will open that file and instead of getting readme file, PDF book

or interesting image, he will get a nasty Trojan Horse...

So let's start and build a nasty POC

1: First we goanna take some nasty file (just kidding) that will popup "PWNED" message.

25jflfk.jpg

2: Second we will compress it with WINRAR by choosing "WINZIP" method.2: Second we will compress it with WINRAR by choosing "WINZIP" method.

rkbywp.jpg

3:Finally wewill open the ZIP file with an hex editor, change the second name only, to the fake name we chose (MyPrivateImage.jpg) and save it as ZIP file.

54hpfn.jpg

The result will be a nasty WINRAR file that shows you an image file, when you double click it, the nasty binary file will execute:

eq8swn.jpg

This by itself is a very problematic behavior of WINRAR, but what about those people

that aren't double clicking files from WINRAR windows?

yes... the "Extract here" people :\

If they will see a file that called " MyPrivateImage.jpg " turning into " MyPrivateImage.exe " , well.... they will start worry :)

Don't be afraid, for this purpose we can combine other known vulnerability for windows.

This Vulnerability called "Unicode RLO Spoofing".

In this technique we use the RLO Unicode character.

( Read about it here: Unicode Character 'RIGHT-TO-LEFT OVERRIDE' (U+202E)).

This character can easily confuse windows to present the file "Fede.jpg.exe" into

"Fedexe..jpg".

Combination of these two vulnerabilities can get you the near perfect File spoofing ever

When you look at it in WINRAR, you will see FEDEX.jpg

And when you extract it, you will see Fedexe..jpg

No matter where you run the file from , YOU'll GET PWNED !

Sursa:An7isec

  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...