WinRar 4.20 – file extension spoofing(0Day)-vulnerability warning-the black bar safety net

ID MYHACK58:62201443745
Type myhack58
Reporter 佚名
Modified 2014-03-29T00:00:00


WinRar is a commonly used compression and decompression software tools. It will be data into. rar or the. the zip format package. This article is to give you presented Winrar 4.20 one of the latest vulnerabilities and 0 day,here is a zip file of the relevant briefly.

Offset Bytes Description[2 5] 0 0 4 Local file header signature = 0x04034b50 (read as a little-endian number) 0 4 2 Version needed to extract (minimum) 0 6 2 General purpose bit flag 0 8 2 Compression method 1 0 2 File last modification time 1 2 2 File last modification date 1 4 4 CRC-3 2 1 8 4 Compressed size 2 2 4 Uncompressed size 2 6 2 File name length (n) 2 8 2 Extra field length (m) 3 0 n File name 3 0+n m Extra field (the information taken from wiki - ) ------------------------------------------------------------------------------------------- ------

By the file format descriptor, we can see that offset 3 0 of the address pointer to compressed file name. When we try to use WinRar 4.20 to compress the file as"zip format"file, the file structure looks haven't changed, but WinRar added some of its unique file attributes parameter.

WINRAR add extra “ file name ” into the compressed file“filename”. Further analysis showed that the second “ filename ” is the file of the real file name, when the first“file name”that appears at the WinRar GUI window, WinRar will put the first“file name”is assigned to the unzipped file as the file name.

This behavior can easily turn into a very dangerous security vulnerability.

[1] [2] next