WinRar 4.20 - File Extension Spoofing (0Day)

# Exploit Title: WinRar File extension spoofing (0Day)# Date: 23/03/14# Exploit Author: Danor Cohen (An7i)  (http://an7isec.blogspot.co.il/) (https://twitter.com/An7i21)# Vendor Homepage: http://www.rarlab.com/# Version: [4.20]# Tested on: [Windows 8 ,Windows 7 ,Windows xp]-------------------------------------------------------------------------------------------------WinRar File extension spoofing ( 0DAY )Winrar is one of the most common application for compressing and decompressing data.The application is capble of compressing data as rar or as zip format.This Article is going to present a new Vulnerability that i found at WINRAR version 4.20(other version maybe vulnerable to).Here is a quick brief of the zip file format:OffsetBytesDescription[25]00 4 Local file header signature = 0x04034b50 (read as a little-endian number)04 2 Version needed to extract (minimum)06 2 General purpose bit flag08 2 Compression method10 2 File last modification time12 2 File last modification date14 4 CRC-3218 4 Compressed size22 4 Uncompressed size26 2 File name length (n)28 2 Extra field length (m)30 n File name30+n m Extra field(the information taken from wiki - http://en.wikipedia.org/wiki/Zip_(file_format) )---------------------------------------------------------------------------------------------------So by the file format descriptor, we can see that the Bits at offset 30 are referred tothe file name of the compressed file.When we try to compress the file as "ZIP Format" with WINRAR, the file structure looksthe same, but! WINRAR adds several properties of its own.WINRAR add extra "file name" into the compressed file like extra "filename".Further analysis reveals that the second name is the "File Name" of the file, that WINRAR will give tothe output uncompressed file, while the First name is the name that appears at the WINRAR GUI window.This Behavior can easily turned into a very dangerous security hole.Think about a hacker that publish some informative "txt" file called "ReadMe.txt" or evenPDF like "VirusTotal_ScanResults.pdf" or more tempting file like"My Girl Friend new bathing suit.jpg".Think about an innocent user that will open that file and instead of getting readme file, PDF bookor interesting image, he will get a nasty Trojan Horse...POC can be found at the original post at my blogpost:http://an7isec.blogspot.co.il/2014/03/winrar-file-extension-spoofing-0day.html