Detailed WINRAR self-extracting cross-site attack vulnerabilities-vulnerability warning-the black bar safety net

ID MYHACK58:62200819364
Type myhack58
Reporter 佚名
Modified 2008-06-15T00:00:00


Listen to many people say WINRAR self-extracting format of the file in the installation interface can be cross-site, the author personally tested, this not alone that is across Station, originally thought it was a new out of the vulnerability of it, the original is WINRAR itself defects, in which the interface can support any HTML code. In detail, we see below.

First create a self-extracting format of the file, and came to the following figure interface.


Figure 1

Then switch to“advanced”on this tab. We see a“SFX options”.


Figure 2

Click on the“SFX options”comes as shown below.


Figure 3

We are in the“self-extracting files window displays the text”the following input the most simple cross-site test code<script>alert(“haha”)</script>, click OK to create the file you can.

Then we open the just created file and see the following results.


Figure 4

Pop-up cross-site tips.

We put the cross-site code into the<iframe even more apparent.


Figure 5

View, WINRAR self-extracting not can be in accordance with the bundling of the way the entrained spread of Trojans, the use of this mode can also be Cross-Station hung it on. Some security-conscious people, generally the first use WINRAR to open the self-extracting format file.


Figure 6

But will be ignored in the text and the icon of the selected type of card content in the presence of malicious code. However, such malicious code is also flawed, use WINRAR to open the time directly on the right to see the code. For a little experience of the people very easy to identify.


Figure 7

But the user can enhance the confusing, on the inside add a lot of text, and then inserted into the middle of a section of such code. The user is also very difficult to see. There is also a way may be utilized. Is so WINRAR is unable to open the self-extracting file. Can in self-extracting format of the file on the shell. So WINRAR is unable to open the self-extracting format file. But the packers and error-prone. You can also modify the self-extracting feature, so WINRAR can't identify. For such use, let alone see the inside of the comment command is what. For the modified self-extracting file itself, the following modified way:

Using 1 6 hex editor open you want to modify the EXE suffix are self-extracting files. Find the following 1 6-ary string, the front is to find, the arrow is replaced. In the first modification, for example, cut a Fig.


Figure 8

Saw the first place, according to a first modification of the Modify off you can. Other and so on. Modified after save. Other to modify place as follows. Red is to be modified. The first kind of modified way:

526172211A07 -> 526072211A07 807A0161 -> 807A0160

The second kind of modified way:

526172211A07 -> 526171211A07 807A0272 -> 807A0171

Modified us comparison. On the file click on right key. Left is before, right is after modification.

! !

Figure 9 Figure 1 0

We see the changes right after the key on simply does not have the“use WINRAR to open the options.” We open the modified file to look at. Whether you can run.


Figure 1 1

Can normal run. Here we demonstrate how to modify the bypass WINRAR recognition.

For the packers can be the first to shelling, but for the average user is difficult to do, the second modification can also be a way to restore back to the current is also not a good solution, can only draw attention to prevention.