WinRAR ZIP File Handling Filename Spoofing Vulnerability

Added: 04/28/2014
BID: 66383
OSVDB: 62610

Background

WinRAR is a shareware file archiver and data compression utility which runs on Microsoft Windows. It can create archives in ZIP format, as well as its own proprietary RAR format, and unpack a variety of other archive types.

Problem

WinRAR 4.x is vulnerable to remote code execution when handling ZIP files. An extracted filename can be spoofed when the filename shown to the user (from the ZIP file central directory) is different than the filename used to uncompress the file to the system (from the local file header). A remote attacker who persuades a user to open a specially crafted ZIP file could execute arbitrary code in the context of the vulnerable user.

Resolution

Upgrade to WinRAR 5.x.

References

http://www.rarlab.com/vuln_zip_spoofing_4.20.html

Limitations

Exploit works on WinRAR 4.20 and 4.11 on Windows Server 2003 R2 and Windows 7.

The user must open the exploit file in a vulnerable version of WinRAR.

Platforms

Windows

Back to exploit index