Mar 23, 2014


WinRar File extension spoofing ( 0DAY )

Winrar is one of the most common applications for compressing and decompressing data.
This article presents a new vulnerability that I have found at Winrar version 4.20.
(other versions might be vulnerable as well).

Here is a quick brief of the zip file format:


So by the file format descriptor, we can see that the Bits at offset 30 are referred to the file name of the compressed file. When we try to compress the file as "ZIP Format" with WINRAR, the file structure looks the same, but! WINRAR adds several properties of its own.

For example, let's look at a text file called "TEST1.txt" that contains the data "AAAAA" after it compressed as Zip with WINRAR:


In the example above it can be noticed that WINRAR add extra "filename" into the compressed file. Further analysis reveals that the second name is the "File Name" of the file, that WINRAR will give to the output uncompressed file, while the First name is the name that appears at the WINRAR GUI window.

Question: What would happen if the first name and the last name will be different?

Answer:   WINRAR will show the spoofed file name, while after decompression the user will get the real file name.

This Behavior can easily be turned into a very dangerous security hole.
Think about a hacker that publishes some informative "txt" file called "ReadMe.txt" or even
PDF like "VirusTotal_ScanResults.pdf" or more tempting file like"My Girl Friend new bathing suit.jpg".

Think about an innocent user that will open that file and instead of getting readme file, PDF book or interesting image, he will get a nasty Trojan Horse... 

So let's start building a nasty POC

1: First we gonna take some nasty file (just kidding) that will pop up the "PWNED" message.



 2: Second we will compress it with WINRAR by choosing "WINZIP" method.


3:  Finally we  will open the ZIP file with an hex editor, change the second name to the fake name we chose (MyPrivateImage.jpg) and save it as a ZIP file.


The result will be a nasty WINRAR file that shows an image file, when you double click it, the nasty binary file will execute:



This by itself is a very problematic behavior of WINRAR, but what about those people
that aren't double clicking files from WINRAR windows? yes... the  "Extract here" people  :\
If they will see a file that called " MyPrivateImage.jpg " turning into  " MyPrivateImage.exe " , well.... they will start worry  :)

Don't be afraid, for this purpose we can combine other known vulnerability for windows. This Vulnerability called "Unicode RLO Spoofing". In this technique, we use the RLO Unicode character.
( Read about it here: http://www.fileformat.info/info/unicode/char/202e/index.htm).

This character can easily confuse windows to present the file "Fede.jpg.exe" into "Fedexe..jpg".
Combination of these two vulnerabilities can get you the near perfect File spoofing ever.
When you look at it in WINRAR, you will see FEDEX.jpg And when you extract it, you will see Fedexe..jpg

No matter where you run the file from , YOU'll GET PWNED !

Happy Hunting - An7i (Danor Cohen)