Mar 23, 2014

WinRar File extension spoofing ( 0DAY )

Winrar is one of the most common application for compressing and decompressing data.

The application is capble of compressing data as rar or as zip format.

This Article is going to present a new Vulnerability that i found at WINRAR version 4.20
(other version maybe vulnerable to).

Here is a quick brief of the zip file format:

So by the file format descriptor, we can see that the Bits at offset 30 are referred to
the file name of the compressed file.
When we try to compress the file as "ZIP Format" with WINRAR, the file structure looks
the same, but! WINRAR adds several properties of its own.

For example let's look at a text file called "TEST1.txt" that contains the data "AAAAA" after
it compressed as zip with WINRAR:

In the example above it can be noticed that WINRAR add extra "file name" into the compressed file.

Further analysis reveals that the second name is the "File Name" of the file, that WINRAR will give to
the output uncompressed file, while the First name is the name that appears at the WINRAR GUI

QUESTION: so what happens if the first name and the last name are different?

ANSWER:  WINRAR will show the spoofed file name, while after decompression the user will get the real file name.

This Behavior can easily turned into a very dangerous security hole.
Think about a hacker that publish some informative "txt" file called "ReadMe.txt" or even
PDF like "VirusTotal_ScanResults.pdf" or more tempting file like"My Girl Friend new bathing suit.jpg".

Think about an innocent user that will open that file and instead of getting readme file, PDF book
or interesting image, he will get a nasty Trojan Horse... 

So let's start and build a nasty POC

1: First we goanna take some nasty file (just kidding) that will popup "PWNED" message.

 2: Second we will compress it with WINRAR by choosing "WINZIP" method.

3:  Finally we  will open the ZIP file with an hex editor, change the second name only, to the fake name we chose (MyPrivateImage.jpg) and save it as ZIP file.

The result will be a nasty WINRAR file that shows you an image file, when you double click it, the nasty binary file will execute:

This by itself is a very problematic behavior of WINRAR, but what about those people
that aren't double clicking files from WINRAR windows?
yes... the  "Extract here" people  :\

If they will see a file that called " MyPrivateImage.jpg " turning into  " MyPrivateImage.exe " , well.... they will start worry  :)

Don't be afraid, for this purpose we can combine other known vulnerability for windows.
This Vulnerability called "Unicode RLO Spoofing".
In this technique we use the RLO Unicode character.

This character can easily confuse windows to present the file "Fede.jpg.exe" into


Combination of these two vulnerabilities can get you the near perfect File spoofing ever

When you look at it in WINRAR, you will see FEDEX.jpg
And when you extract it, you will see Fedexe..jpg

No matter where you run the file from , YOU'll GET PWNED !

Happy Hunting - An7i (Danor Cohen , Avnet Information Security)
There was an error in this gadget