exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WinRAR 3.80 Filename Spoofing

WinRAR 3.80 Filename Spoofing
Posted Sep 29, 2009
Authored by chr1x

WinRAR version 3.80 suffers from a ZIP filename spoofing vulnerability.

tags | advisory, spoof
SHA-256 | 4880f2bb7f9786ba0a35c233213dc63a64301bccc3f90b77bbd582104b13228f

WinRAR 3.80 Filename Spoofing

Change Mirror Download
Hash: SHA1

| ....... |
| ..''xxxxxxxxxxxxxxx'... |
| ..'xxxxxxxxxxxxxxxxxxxxxxxxxxx.. |
| ..'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'. |
| .'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'''.......'. |
| .'xxxxxxxxxxxxxxxxxxxxx''...... ... .. |
| .xxxxxxxxxxxxxxxxxx'... ........ .'. |
| 'xxxxxxxxxxxxxxx'...... '. |
| 'xxxxxxxxxxxxxx'..'x.. .x. |
| .xxxxxxxxxxxx'...'.. ... .' |
| 'xxxxxxxxx'.. . .. .x. |
| xxxxxxx'. .. x. |
| xxxx'. .... x x. |
| 'x'. ...'xxxxxxx'. x .x. |
| .x'. .'xxxxxxxxxxxxxx. '' .' |
| .xx. .'xxxxxxxxxxxxxxxx. .'xx'''. .' |
| .xx.. 'xxxxxxxxxxxxxxxx' .'xxxxxxxxx''. |
| .'xx'. .'xxxxxxxxxxxxxxx. ..'xxxxxxxxxxxx' |
| .xxx'. .xxxxxxxxxxxx'. .'xxxxxxxxxxxxxx'. |
| .xxxx'.'xxxxxxxxx'. xxx'xxxxxxxxxx'. |
| .'xxxxxxx'.... ...xxxxxxx'. |
| ..'xxxxx'.. ..xxxxx'.. |
| ....'xx'.....''''... |
| |
| CubilFelino Security Research Lab |
| proudly presents... |

Security Advisory: WinRAR v3.80 - ZIP Filename Spoofing

Security Researcher Info:

Discovered by: Christian Navarrete (chr1x) - México
Website URL: http://chr1x.sectester.net
Contact E-mail: chr1x@sectester.net
OpenPGP key id: 0x3765F4F8
OpenPGP fingerprint: 58AB CB8C DCF4 8B2E 40EF 11E8 4354 91DF 3765 F4F8

Vulnerability General Information:
Discovery date: 30/08/2009 (Good gift of Birthday! :)
Advisory URL:
Vulnerability on Video: http://www.youtube.com/user/sectester
PoC/Exploit Availability: http://chr1x.sectester.net/winrar380_PoC.zip
Software: WinRAR
Version: 3.80
Security risk: Low
Exploitable from: Local
Vulnerability: ZIP Filename spoofing
Release mode: Coordinated disclosure.
Vendor: http://www.rarlabs.com
Status: Current version (WinRAR v3.80) not patched, next
engine version (WinRAR v.3.90) will be patched
CWE Weakness ID: CWE-372: Incomplete Internal State Distinction (1.5)
CVE ID: None provided
Disclosure Policy: http://www.wiretrip.net/rfp/policy.html

Product Description:
(Taken from Wikipedia)

WinRAR is a shareware file archiver and data compression utility
developed by Eugene Roshal, and first released around 1995. It is one
of the few applications that is

able to create RAR archives natively, because the encoding method is
held to be proprietary.

WinRAR supports the following features:

* Complete support for RAR and ZIP archives, and unpacking of ARJ,
LZH, TAR, GZ, ACE, UUE, BZ2, JAR, ISO, EXE, 7z, and Z archives. Future
versions of WinRAR are

planned to include 7z creation.
* The ability to create self-extracting and multi-volume (split)
* Data redundancy is provided via recovery records and recovery
volumes, allowing reconstruction of damaged archives.
* Support for advanced NTFS file system options and Unicode in file
* Optional archive encryption using AES (Advanced Encryption Standard)
with a 128-bit key.

I. Vulnerability Summary:

WinRAR v3.80 is prone to a Filename Spoofing contained inside a
malformed .ZIP file.

II. Vulnerability Description:
ZIP File Spoofing can be done by to a mismatch of file name in the
file list in WinRAR GUI shell and in extracted file. A real
exploitation of this issue is in the following scenario: When a user
opens the malformed file using WinRAR v3.80 will see filename
(example: imagefile.gif) but when files are extracted, the extracted
file could be another one, not the original imagefile.gif. There are
two parts of code looking for the start of ZIP central directory. One
in extraction routine and other in file list browsing. they used
slightly different approaches, so one of the first filename record
found and another for the "hidden" file. They must be exactly the
same and both find the same file names.

ZIP format contains two copies of file name, one in local file header
and another in central directory, for redundancy purpose. If file
names mismatch, it must not be a reason to abort extraction, because
it would defeat the entire purpose of having two file name copies. It
is up to unzip implementation to choose a name, but typically, if
can't detect which of records is more valid, the central directory
record has precedence over local file header, because it contains more
information about a file.

III. Potential Attack Vector:
An attacker can use this vulnerability in order to hide malware and
perform social engineering attacks to perform a successfull Internet
user targeting attack.

IV. Risk Assessment:

Likelihood of exploitation:Low
* Since the user should interact a little bit with this, obviously
attack vectors are here, but differs on the context and many things in
order to get it done.

Impact: Low
* Since if a user receive this (doesn't matter the way) when he/she
open the file can see a filename thats isn't the one that can be

Overall risk: Low

V. Researcher & Vendor Communication for Disclosure timeline


* 30/08/2009:-->Researcher sent a vulnerability notification e-mail to
vendor to: info@win-rar.com and support@win-rar.com
* 31/08/2009:<--Response is giving by vendor to researcher which
contains special email to send vulnerability details.
* 31/08/2009:-->Researcher sent all the security testing analysis and
technical details to the vendor.
* 31/08/2009:<--Vendor will investigate further, noting that will take
some days of investigation.
* 01/09/2009:<--Vendor gives contact explaining that the fix will be
in the next release of WinRAR 3.91, maybe months or sooner,
also, vendor ask to researcher if wants a preliminary
version of the fixed WinRAR.exe file.
* 03/09/2009<--Vendor sent partially corrected file in order to be
security tested to ensure that the fix was applies correctly.
* 04/09/2009-->Researcher notifies the vendor that some maded tests
was performed but some things should be tested again
* 05/09/2009<--Vendor & Researcher perform technical analysis and risk
assessment in order to determine the risk level for the issue, retest
is performed
* 05/09/2009-->Researcher inform vendor that the issue is now fixed
* 05/09/2009<--Vendor comment that the fix will be released with
WinRAR v3.91, also, the vulnerability title was determined.
* 05/09/2009<--Vendor ask Researcher that they wants that the
vulnerability announce would be after a month to have some time to
prepare the next release.
* 05/09/2009-->Researcher write the Security Advisory and send it to
the vendor for final review

Thanks to Eugene Roshal by his good coordination provided & a very
quick response to me.

Secure email delivery:
If you need something to say and want a secure communication, please
download my Public Key from the following URL:


Conejita Hermosa (by support me in the large nights of researching
:D), Pedrito (a.k.a ril0), LogicalBeat, nitr0us, alt3kx, and special
thanks to Naibing Du & Brian S.K. by your full support and friendship
in the long of those years.

About CubilFelino Security Research Lab
It's very peaceful (underground), but dark place in Mexico which has a
lot of desktop and laptop computers, (hardc0re) network hardware,
wire/unwired stuff, some
hijacked Internet connections, music gear and studio (midi controllers
and synthesizers), Psytrance/Drum & Bass music almost always
resounding the walls, and why not?
a very very nice aquarium with river monsters: piranhas, oscar fish &
a plecostomus. Also, it's equipped with a little fridge full of
munchies, alcohol and caffeine;
with a box of cigarretes on the desktop and a lot of books that can't
imagine about (in) security, martial-arts (yeah! we love Ninjutsu
hacking) & programming, is the
best place to do R+D for the wonderful, exciting & fascinating world
of computers and security. Here, Hacking is sublime !

- --
- ---
[CubilFelino Security Research Lab - http://chr1x.sectester.net ]
"The computer security is an art form. It's the ultimate martial art."
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

Login or Register to add favorites

File Archive:

December 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    0 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    32 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By