WinRar 4.20 - File Extension Spoofing













# Exploit Title: WinRar File extension spoofing (0Day)

# Date: 23/03/14
# Exploit Author: Danor Cohen (An7i)  ( (
# Vendor Homepage:
# Version: [4.20]
# Tested on: [Windows 8 ,Windows 7 ,Windows xp]

WinRar File extension spoofing ( 0DAY )

Winrar is one of the most common application for compressing and decompressing data.

The application is capble of compressing data as rar or as zip format.

This Article is going to present a new Vulnerability that i found at WINRAR version 4.20
(other version maybe vulnerable to).

Here is a quick brief of the zip file format:




00 4 Local file header signature = 0x04034b50 (read as a little-endian number)
04 2 Version needed to extract (minimum)
06 2 General purpose bit flag
08 2 Compression method
10 2 File last modification time
12 2 File last modification date
14 4 CRC-32
18 4 Compressed size
22 4 Uncompressed size
26 2 File name length (n)
28 2 Extra field length (m)
30 n File name
30+n m Extra field

(the information taken from wiki - )


So by the file format descriptor, we can see that the Bits at offset 30 are referred to

the file name of the compressed file.

When we try to compress the file as "ZIP Format" with WINRAR, the file structure looks

the same, but! WINRAR adds several properties of its own.

WINRAR add extra "file name" into the compressed file like extra "filename".

Further analysis reveals that the second name is the "File Name" of the file, that WINRAR will give to

the output uncompressed file, while the First name is the name that appears at the WINRAR GUI window.

This Behavior can easily turned into a very dangerous security hole.

Think about a hacker that publish some informative "txt" file called "ReadMe.txt" or even

PDF like "VirusTotal_ScanResults.pdf" or more tempting file like"My Girl Friend new bathing suit.jpg".

Think about an innocent user that will open that file and instead of getting readme file, PDF book

or interesting image, he will get a nasty Trojan Horse...

POC can be found at the original post at my blogpost: