-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
±-----------------------------------------------------------------------+
| … |
| …''xxxxxxxxxxxxxxx'… |
| …'xxxxxxxxxxxxxxxxxxxxxxxxxxx… |
| …'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'. |
| .'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'''…'. |
| .'xxxxxxxxxxxxxxxxxxxxx''… … … |
| .xxxxxxxxxxxxxxxxxx'… … .'. |
| 'xxxxxxxxxxxxxxx'… '. |
| 'xxxxxxxxxxxxxx'…'x… .x. |
| .xxxxxxxxxxxx'…'… … .' |
| 'xxxxxxxxx'… . … .x. |
| xxxxxxx'. … x. |
| xxxx'. … x x. |
| 'x'. …'xxxxxxx'. x .x. |
| .x'. .'xxxxxxxxxxxxxx. '' .' |
| .xx. .'xxxxxxxxxxxxxxxx. .'xx'''. .' |
| .xx… 'xxxxxxxxxxxxxxxx' .'xxxxxxxxx''. |
| .'xx'. .'xxxxxxxxxxxxxxx. …'xxxxxxxxxxxx' |
| .xxx'. .xxxxxxxxxxxx'. .'xxxxxxxxxxxxxx'. |
| .xxxx'.'xxxxxxxxx'. xxx'xxxxxxxxxx'. |
| .'xxxxxxx'… …xxxxxxx'. |
| …'xxxxx'… …xxxxx'… |
| …'xx'…''''… |
| |
| CubilFelino Security Research Lab |
| proudly presents… |
±-----------------------------------------------------------------------+
Discovered by: Christian Navarrete (chr1x) - Mexico
Website URL: http://chr1x.sectester.net
Contact E-mail: [email protected]
OpenPGP key id: 0x3765F4F8
OpenPGP fingerprint: 58AB CB8C DCF4 8B2E 40EF 11E8 4354 91DF 3765 F4F8
Discovery date: 30/08/2009 (Good gift of Birthday! :)
Advisory URL:
http://advisory.sectester.net/chr1xpwnadv-winrar-zip-filename-spoofing.pdf
Vulnerability on Video: http://www.youtube.com/user/sectester
PoC/Exploit Availability: http://chr1x.sectester.net/winrar380_PoC.zip
Software: WinRAR
Version: 3.80
Security risk: Low
Exploitable from: Local
Vulnerability: ZIP Filename spoofing
Release mode: Coordinated disclosure.
Vendor: http://www.rarlabs.com
Status: Current version (WinRAR v3.80) not patched, next
engine version (WinRAR v.3.90) will be patched
CWE Weakness ID: CWE-372: Incomplete Internal State Distinction (1.5)
CVE ID: None provided
Disclosure Policy: http://www.wiretrip.net/rfp/policy.html
(Taken from Wikipedia)
WinRAR is a shareware file archiver and data compression utility
developed by Eugene Roshal, and first released around 1995. It is one
of the few applications that is
able to create RAR archives natively, because the encoding method is
held to be proprietary.
WinRAR supports the following features:
planned to include 7z creation.
WinRAR v3.80 is prone to a Filename Spoofing contained inside a
malformed .ZIP file.
ZIP File Spoofing can be done by to a mismatch of file name in the
file list in WinRAR GUI shell and in extracted file. A real
exploitation of this issue is in the following scenario: When a user
opens the malformed file using WinRAR v3.80 will see filename
(example: imagefile.gif) but when files are extracted, the extracted
file could be another one, not the original imagefile.gif. There are
two parts of code looking for the start of ZIP central directory. One
in extraction routine and other in file list browsing. they used
slightly different approaches, so one of the first filename record
found and another for the "hidden" file. They must be exactly the
same and both find the same file names.
ZIP format contains two copies of file name, one in local file header
and another in central directory, for redundancy purpose. If file
names mismatch, it must not be a reason to abort extraction, because
it would defeat the entire purpose of having two file name copies. It
is up to unzip implementation to choose a name, but typically, if
can't detect which of records is more valid, the central directory
record has precedence over local file header, because it contains more
information about a file.
An attacker can use this vulnerability in order to hide malware and
perform social engineering attacks to perform a successfull Internet
user targeting attack.
Likelihood of exploitation:Low
Impact: Low
Overall risk: Low
DD/MM/YYYY
Thanks to Eugene Roshal by his good coordination provided & a very
quick response to me.
If you need something to say and want a secure communication, please
download my Public Key from the following URL:
http://advisory.sectester.net/chr1x_publickey.asc
Conejita Hermosa (by support me in the large nights of researching
:D), Pedrito (a.k.a ril0), LogicalBeat, nitr0us, alt3kx, and special
thanks to Naibing Du & Brian S.K. by your full support and friendship
in the long of those years.
It's very peaceful (underground), but dark place in Mexico which has a
lot of desktop and laptop computers, (hardc0re) network hardware,
wire/unwired stuff, some
hijacked Internet connections, music gear and studio (midi controllers
and synthesizers), Psytrance/Drum & Bass music almost always
resounding the walls, and why not?
a very very nice aquarium with river monsters: piranhas, oscar fish &
a plecostomus. Also, it's equipped with a little fridge full of
munchies, alcohol and caffeine;
with a box of cigarretes on the desktop and a lot of books that can't
imagine about (in) security, martial-arts (yeah! we love Ninjutsu
hacking) & programming, is the
best place to do R+D for the wonderful, exciting & fascinating world
of computers and security. Here, Hacking is sublime !
[CubilFelino Security Research Lab - http://chr1x.sectester.net ]
"The computer security is an art form. It's the ultimate martial art."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJKwY7LAAoJEENUkd83ZfT4DWkH/0WJ1vgee7nqoYV1WwSJZDfp
FEeQpYMi9CpDXr7CjkfS54xuGDCZKnnlwIOYMOe/szDjgVNItX+KWZMfetYdKmrM
8Yj638wP+GqVm/zUTx77wLHEbIGu2jI+sPuJozgc3srt9NTJibMRtER0nPgi/o1p
jMqba4gHYCel8+jlx8tt9DFP6GA9NtqsIBqZMSEj5M7hWDeDYOw8utoZHxTuCYAs
vWZk5k7pBEel/qWZ0/bxXH+N/FYXTHiVWBxDHz49DWR4nwqg17lk6B03j3uecVD+
kdACWo4LHncvrCqGw33Y+IsBcioeLPRLGONbj+EcMKQbTuj3Vf2TTYlGHSoBlEg=
=KGWw
-----END PGP SIGNATURE-----