WinRar 4.20 - File Extension Spoofing (0Day)
来源:互联网 发布:广西广电网络怎么样 编辑:程序博客网 时间:2024/06/12 11:42
# Exploit Title: WinRar File extension spoofing (0Day)# Date: 23/03/14# Exploit Author: Danor Cohen (An7i) (http://an7isec.blogspot.co.il/) (https://twitter.com/An7i21)# Vendor Homepage: http://www.rarlab.com/# Version: [4.20]# Tested on: [Windows 8 ,Windows 7 ,Windows xp]-------------------------------------------------------------------------------------------------WinRar File extension spoofing ( 0DAY )Winrar is one of the most common application for compressing and decompressing data.The application is capble of compressing data as rar or as zip format.This Article is going to present a new Vulnerability that i found at WINRAR version 4.20(other version maybe vulnerable to).Here is a quick brief of the zip file format:OffsetBytesDescription[25]00 4 Local file header signature = 0x04034b50 (read as a little-endian number)04 2 Version needed to extract (minimum)06 2 General purpose bit flag08 2 Compression method10 2 File last modification time12 2 File last modification date14 4 CRC-3218 4 Compressed size22 4 Uncompressed size26 2 File name length (n)28 2 Extra field length (m)30 n File name30+n m Extra field(the information taken from wiki - http://en.wikipedia.org/wiki/Zip_(file_format) )---------------------------------------------------------------------------------------------------So by the file format descriptor, we can see that the Bits at offset 30 are referred tothe file name of the compressed file.When we try to compress the file as "ZIP Format" with WINRAR, the file structure looksthe same, but! WINRAR adds several properties of its own.WINRAR add extra "file name" into the compressed file like extra "filename".Further analysis reveals that the second name is the "File Name" of the file, that WINRAR will give tothe output uncompressed file, while the First name is the name that appears at the WINRAR GUI window.This Behavior can easily turned into a very dangerous security hole.Think about a hacker that publish some informative "txt" file called "ReadMe.txt" or evenPDF like "VirusTotal_ScanResults.pdf" or more tempting file like"My Girl Friend new bathing suit.jpg".Think about an innocent user that will open that file and instead of getting readme file, PDF bookor interesting image, he will get a nasty Trojan Horse...POC can be found at the original post at my blogpost:http://an7isec.blogspot.co.il/2014/03/winrar-file-extension-spoofing-0day.html
0 0
- WinRar 4.20 - File Extension Spoofing (0Day)
- WinRar File extension spoofing
- WinRar 4.20 – 文件扩展名欺骗(0Day) -实现
- WinRAR v3.80 - ZIP Filename Spoofing
- WinRAR(5.21)-0day漏洞-始末分析
- .DRPM File Extension
- FILExt - The File Extension Source
- csharp create ICS file extension
- csharp create ICS file extension
- Jdev go to file extension
- Mimetype to file extension mapping
- Login spoofing
- winrar
- WinRAR
- How to fix QX File Extension
- database autocreate winrar file with window plan-task
- day 0
- DAY 0
- 黑马程序员_关于几种参数
- Mybatis实战(二)配置文件详解
- 程序员的身体是多么的重要
- C# DataGridView控件 动态添加新行
- NYOJ_599奋斗的小蜗牛
- WinRar 4.20 - File Extension Spoofing (0Day)
- Java虚拟机的JVM垃圾回收机制
- CentOS6.5 Ambari1.4.4安装配置实战
- JSTL标签的使用
- LinuxShell算术运算expr
- ssh搭建开发环境
- Android实用代码七段(一)
- linux下ALSA播放声音的源程序
- vi 操作