Spoofing extensions in winrar
Topic in one sentence - there is a technical possibility to replace the displayed file name in Winrar. And some image.jpeg will successfully execute as an .exe file :) I will not do a full translation of the original topic , but I will retell the essence under the cut.
If we consider the structure of the zip file
You can see that the bytes after the offset to 30 bytes indicate the name of the file inside the archive.
But! If you pack via WinRar in a ZIP file, WinRaR also adds its bytes (the general structure is, of course, the same).
')
You can see that the file name (in the example above, the file TEST1.txt was packed) is contained twice. And with the second name it will be unpacked, and with the first one it will be displayed in the Explorer Winrar.
And the main point: we can set the second value to any other, there will be no error. Accordingly, with a “typical” action - double click on a file with a .txt extension, we can execute a binary file.
Version 4.2 is vulnerable, and most likely lower. The solution is to install another archiver / or version of winrar from the 5th branch.
PoC: sergeybelove.ru/downloads/ZIP_WINRAR_POC.zip (a picture will open instead of the txt file).
UPD: dMetrius reports that 5.01 is not reproduced
If we consider the structure of the zip file
You can see that the bytes after the offset to 30 bytes indicate the name of the file inside the archive.
But! If you pack via WinRar in a ZIP file, WinRaR also adds its bytes (the general structure is, of course, the same).
')
You can see that the file name (in the example above, the file TEST1.txt was packed) is contained twice. And with the second name it will be unpacked, and with the first one it will be displayed in the Explorer Winrar.
And the main point: we can set the second value to any other, there will be no error. Accordingly, with a “typical” action - double click on a file with a .txt extension, we can execute a binary file.
Version 4.2 is vulnerable, and most likely lower. The solution is to install another archiver / or version of winrar from the 5th branch.
PoC: sergeybelove.ru/downloads/ZIP_WINRAR_POC.zip (a picture will open instead of the txt file).
UPD: dMetrius reports that 5.01 is not reproduced
Source: https://habr.com/ru/post/216785/
All Articles