Thursday, 3 April 2014

WinRAR 4.20 File Spoofing Vulnerability

So a few weeks ago, a 0 day vulnerability was found in WinRAR which allows someone to change the extension of the zipped file in WinRAR. This vulnerability is now being classified as a File Spoofing Vulnerability.

Here's how it works and if you want to try it.


Check that the version of WinRAR is 4.20.


If you have a Payload/malware in the .exe format, right click and 'Add to Archive'


Click on the ZIP and Click OK


 Once its zipped, when you double click on it, it will show that the file inside is a .exe file.



 Using a tool called xvi32, drag the zipped file to the application and you can see it in Hex format. Search for the .exe


 The searched file


Rename the .exe to .mp3 (an example) and save it


Open the zipped file and you can see it now changed to a .mp3 file.

What's scary is, when you execute the .mp3 file, it will execute as an .exe file which could allow the program to damage your computer depending on the creator of the malware.