A vulnerability exists in WinRAR – probably one of the most used file archiving and data compression applications for Windows platform – that allows attackers to spoof files within the compressed archive thereby fooling gullible users into executing malicious payload hidden inside what otherwise seems to be a valid archive.
The vulnerability was first discovered by an independent researcher Danor Cohen. The vulnerability allows attackers to modify filenames and their extension within a traditional file archive enabling them to hide their malicious binary code masquerading it as either a valid looking ‘.jpg’, ‘.txt’, ‘.png’ or any other file.
The Israeli researcher notes that WinRAR uses the standard zip file format, but on top of that adds several properties of its own. Analysing a zip file using a hex editor, Cohen found that WinRAR adds an extra ‘file name’ into the compressed file.
He found that the first instance of the ‘file name’ is used to display the name in the WinRAR GUI window, while the second instance is the actual File Name of the file when uncompressed.
This means that an attacker can easily change the first instance of the file name to spoof the actual file extension. When a user double clicks on the archive, they would only see the spoofed file name and as a general practice double click on the filename to open it. This will effectively execute the malicious binary code masquerading as a legitimate file.
Cohen notes that there will be those who are vigilant enough and rather than executing the file directly from the WinRAR GUI will prefer to extract it first. In this case they will be able to see the real file. However, attackers may resort to what is called the ‘Unicode RLO Spoofing’ vulnerability to confuse windows into presenting a certain XYZ.jpg.exe file into XYZ..jpg
