WinRAR v3.80 - ZIP Filename Spoofing

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1  

Security Advisory: WinRAR v3.80 - ZIP Filename Spoofing

Security Researcher Info:

OpenPGP fingerprint: 58AB CB8C DCF4 8B2E 40EF 11E8 4354 91DF 3765 F4F8

Vulnerability General Information:

engine version (WinRAR v.3.90) will be patched CWE Weakness ID: CWE-372: Incomplete Internal State Distinction (1.5) CVE ID: None provided

Product Description:

(Taken from Wikipedia)

WinRAR is a shareware file archiver and data compression utility developed by Eugene Roshal, and first released around 1995. It is one of the few applications that is

able to create RAR archives natively, because the encoding method is held to be proprietary.

WinRAR supports the following features:

Complete support for RAR and ZIP archives, and unpacking of ARJ, LZH, TAR, GZ, ACE, UUE, BZ2, JAR, ISO, EXE, 7z, and Z archives. Future versions of WinRAR are

planned to include 7z creation.

* The ability to create self-extracting and multi-volume (split) archives.

* Data redundancy is provided via recovery records and recovery volumes, allowing reconstruction of damaged archives. * Support for advanced NTFS file system options and Unicode in file names.

* Optional archive encryption using AES (Advanced Encryption Standard) with a 128-bit key.

I. Vulnerability Summary:

WinRAR v3.80 is prone to a Filename Spoofing contained inside a malformed .ZIP file.

II. Vulnerability Description:

ZIP File Spoofing can be done by to a mismatch of file name in the file list in WinRAR GUI shell and in extracted file. A real exploitation of this issue is in the following scenario: When a user opens the malformed file using WinRAR v3.80 will see filename (example: imagefile.gif) but when files are extracted, the extracted file could be another one, not the original imagefile.gif. There are two parts of code looking for the start of ZIP central directory. One in extraction routine and other in file list browsing. they used slightly different approaches, so one of the first filename record found and another for the "hidden" file. They must be exactly the same and both find the same file names.

ZIP format contains two copies of file name, one in local file header and another in central directory, for redundancy purpose. If file names mismatch, it must not be a reason to abort extraction, because it would defeat the entire purpose of having two file name copies. It is up to unzip implementation to choose a name, but typically, if can't detect which of records is more valid, the central directory record has precedence over local file header, because it contains more information about a file.

III. Potential Attack Vector:

An attacker can use this vulnerability in order to hide malware and perform social engineering attacks to perform a successfull Internet user targeting attack.

IV. Risk Assessment:

Likelihood of exploitation:Low

* Since the user should interact a little bit with this, obviously attack vectors are here, but differs on the context and many things in order to get it done.

Impact: Low

* Since if a user receive this (doesn't matter the way) when he/she open the file can see a filename thats isn't the one that can be extracted.

Overall risk: Low

V. Researcher & Vendor Communication for Disclosure timeline