Mar 23, 2014


WinRar File extension spoofing ( 0DAY )

Winrar is one of the most common applications for compressing and decompressing data.
This article presents a new vulnerability that I have found at Winrar version 4.20.
(other versions might be vulnerable as well).

Here is a quick brief of the zip file format:


So by the file format descriptor, we can see that the Bits at offset 30 are referred to the file name of the compressed file. When we try to compress the file as "ZIP Format" with WINRAR, the file structure looks the same, but! WINRAR adds several properties of its own.

For example, let's look at a text file called "TEST1.txt" that contains the data "AAAAA" after it compressed as Zip with WINRAR:


In the example above it can be noticed that WINRAR add extra "filename" into the compressed file. Further analysis reveals that the second name is the "File Name" of the file, that WINRAR will give to the output uncompressed file, while the First name is the name that appears at the WINRAR GUI window.

Question: What would happen if the first name and the last name will be different?

Answer:   WINRAR will show the spoofed file name, while after decompression the user will get the real file name.

This Behavior can easily be turned into a very dangerous security hole.
Think about a hacker that publishes some informative "txt" file called "ReadMe.txt" or even
PDF like "VirusTotal_ScanResults.pdf" or more tempting file like"My Girl Friend new bathing suit.jpg".

Think about an innocent user that will open that file and instead of getting readme file, PDF book or interesting image, he will get a nasty Trojan Horse... 

So let's start building a nasty POC

1: First we gonna take some nasty file (just kidding) that will pop up the "PWNED" message.



 2: Second we will compress it with WINRAR by choosing "WINZIP" method.


3:  Finally we  will open the ZIP file with an hex editor, change the second name to the fake name we chose (MyPrivateImage.jpg) and save it as a ZIP file.


The result will be a nasty WINRAR file that shows an image file, when you double click it, the nasty binary file will execute:



This by itself is a very problematic behavior of WINRAR, but what about those people
that aren't double clicking files from WINRAR windows? yes... the  "Extract here" people  :\
If they will see a file that called " MyPrivateImage.jpg " turning into  " MyPrivateImage.exe " , well.... they will start worry  :)

Don't be afraid, for this purpose we can combine other known vulnerability for windows. This Vulnerability called "Unicode RLO Spoofing". In this technique, we use the RLO Unicode character.
( Read about it here: http://www.fileformat.info/info/unicode/char/202e/index.htm).

This character can easily confuse windows to present the file "Fede.jpg.exe" into "Fedexe..jpg".
Combination of these two vulnerabilities can get you the near perfect File spoofing ever.
When you look at it in WINRAR, you will see FEDEX.jpg And when you extract it, you will see Fedexe..jpg

No matter where you run the file from , YOU'll GET PWNED !

Happy Hunting - An7i (Danor Cohen)

17 comments :

  1. hey, I'm having some issues with this. I'm changing the second name, i can see that it changes at the gui, but it is still a JPG when I extract it, or double-click it.
    I'm using WinRar 3.9 64-bit, win-7.

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Hi
    it is possible that this version is not vulnerable

    ReplyDelete
  4. This is not a 0day, spammer do that since years, to infect people with Zeus.

    ReplyDelete
  5. Hi Steven
    Spammer used to do that with winrar 3.80 version (years ago), then it was fixed
    (try it yourself at 3.80 and above).
    I discovered the hole without knowing this history fact.

    ReplyDelete
  6. cool thing, liked the combination of simple method into very powerful outcome.
    adding a deceptive JPG icon to your malicious file makes it just perfect

    ReplyDelete
  7. this is not 0day , it's already shared in an Arabic Forum 2 months ago , :)
    and in version 4.20

    ReplyDelete
  8. How can you convert "Fede.jpg.exe" to "Fedexe..jpg
    I used this deo: https://www.youtube.com/watch?v=3022m3NnMo0
    But it couldn't find where should I put cursor.

    ReplyDelete
  9. Hi
    I don't know what you did wrong.
    There is a program called DarkCommet that includes tool that does it automaticly, i suggest you to try it.

    Best regards, Danor

    ReplyDelete
  10. To the best of my knowledge AVG 2014 will detect files with the RLO Unicode character in their name and delete them before they are executed

    ReplyDelete
    Replies
    1. Hi
      Nice to meet you , (you are the founder of the "TargetEye" trojan horse).
      You are probably right, further tests may be needed.

      Delete
  11. Hey Danor,
    We know each other and i would like to talk to you.
    Please contact me in the following email:
    barak@appsec-labs.com
    Kind regards,
    Barak.

    BTW, really nice job!

    ReplyDelete
  12. This issue is not limited to WinRAR: I created a Zip using 7-Zip 9.20 and I could edit it in similar way (I used Notepad++ and its hex-editor plugin).

    ReplyDelete
  13. It seems it works by renaming the file in the archive's table of content, so it should affect in one way or another any archive manager, as the TOC is written following .zip standards. BTW, .7z standard allows to encypt TOC,, to avoid this kind of attacks. For zip files, a way to mitigate this specification-level vulnerability might be the archive manager treating the file as for the declared extension, or better checking for content not matching tco when opening or extracting the archive - may be slow, but totally worth!

    ReplyDelete
  14. Hey Danor,

    Nice finding !
    Works perfectly on new Winrar 5.1 as well.
    Won't work on Windows 8 though.. I don't know why actually.

    ReplyDelete
    Replies
    1. Seems They Fixed It On New WinRAR Version... http://www.rarlab.com/vuln_zip_spoofing_4.20.html

      Delete