A few days ago I read this post: WinRar File extension spoofing ( 0DAY ). Here, the author describes for example, how to create a ZIP file with a file inside it which has a JPG extension but when it is opened directly from WinRar, an EXE file is executed.

This vulnerability effects Winrar v4.20 and others could be affected.

In this post, we will create a ".bat" file which will execute a ping command against a Google server (you should think about doing evil actions...), it will be compressed in a ZIP format and using the Hex Editor, we will change the extension to a ".pdf" within the compressed file. When the user opens it, a ".bat" file will be executed instead of opening the "fake" PDF.

These are the steps to follow.

  • Create the ".bat" file. You are able to use ".vbs", ".exe" or whatever... A hacker would use their own malware... In our proof of concept I've used a ".bat" file with the name "Best Security Tools 2014.bat".

  • Compress the file in a ZIP file using WinRar.

  • We can see our file with the extension".bat" inside the ZIP file.

  • If you open the the ZIP file with XVI32 you will see the name of the file twice inside the compressed file.

  • Now, we need  to change the second one. I've renamed the file to ".pdf" and I've saved it.

  • If we open the ZIP file again, we can see a file with a PDF format...

  • ... but if we open it directly from the Winrar, the .bat file is executed...

But if you uncompress the file into a folder, you will see the real file "Best Security Tools 2014.bat" instead of the "fake" file "Best Security Tools 2014.pdf".

So, I think there is nothing more to say about the capabilities this technique has. Imagine mixing this technique with the one used in the Siesta Campaign...