Latest WinRAR extension spoofing 0-day anatomy

Recently, WinRAR has a 0-day extension defect, which can be used for phishing and other purposes. Original Author: An7i, translated by Exploit, moderator of the XI Science Forum. WinRAR is a very powerful compression and decompression software developed by RARLAB. It is well known in Windows, and its File compression and decompression functions are widely praised. RAR files can be compressed into ZIP or RAR files. This article will show you a recently released winRAR 4.20 Vulnerability (which may be applicable to other versions), which can be used for file name spoofing. First, let's take a look at the format specification of the zip file (). The standard description of this file format makes it easy to see a problem: the compressed file name is located at the offset of 30. When using WinRAR to compress a file into zip files, it will also be similar to the file format, but WinRAR will add a few RAR items in addition to the specifications. For example, if you create a new file named test1.txt, write the 'aaaaa' string into the file body and compress the file. After compression, use a tool to view HEX code in hexadecimal format, as shown in the following figure: In the compressed package, WinRAR adds an additional file name when creating the compressed package. After multiple deeper tests, we can see that the first file name is a real file name, and WinRAR will compress it and save it. The second file name is actually used for display in the WinRAR GUI window. Well, we should have a problem by Convention: what happens if the first file name is different from the second one? The answer is that WinRAR will display the first modified and deceptive file name. After decompression, the user will see the real file name. Let's imagine that if a brother is named as a txt file, for example, the name is "Taobao", then you will be shocked... Haha .. Now let's start to construct a POC program. Let's give the file a more attractive name, aoi_sola.exe. The code of this exe file is as follows. The function is to pop up "Silic"

#include <stdlib.h>int main(){ System("mshta [removed]alert(\"Silic\");close();"); return 0;}

 

2. Use WinRAR to compress... 3. Open the compressed package with winhex, modify the name of the second file, change it to aoi_sola.jpg, and save it as a zip file. Finally, after double-clicking, you will be online ~ PS: I personally think that the pop-up window is better than the pop-up picture ~~ In addition, the vulnerability discoverer tests versions earlier than 5.0. The vulnerability has been fixed in the minor version 5.0. This is a fatal flaw for some people who are used to directly opening files in WinRAR .. Highly lethal. But for those who are used to "decompressing to Folders" first, this vulnerability seems to have nothing to do with them? The hacker's idea is: how to kill it! Just as it is, then the vast sky. jpg will become a vast sky. EXE ", and they will not open it. In fact, don't worry. There is a vulnerability called RLO Unicoder Characters. WinRAR combines these two vulnerabilities... It constitutes a perfect attack. No matter what it is, you are all in the middle of the attack. You see that you are really a zombie ~ PS: RLO Unicoder plugin. RLO only implements file name reversal and has a probability of success in actual use, but it is difficult to perform a perfect attack.