![]() ![]() WinRAR 5 and above has been patched from this exploit. However people who extract the file will be safe from this spoofing exploit as they will see that it is an executable (.exe) file being extracted, not a text (.txt) file. ![]() Opening the notes.zip file in WinRAR 4.20 will now show the archived file as the spoofed notes.txt instead of notes.exe.ĭouble clicking on the spoof file from WinRAR GUI will run the file as application. ![]() Then using a hex editor, go to the end of the file and modify the notes.exe to notes.txt. An example is a notes.exe file compressed into a notes.zip using WinRAR 4.20. This means you can modify the ZIP file created by WinRAR 4.20 using a hex editor to show a different filename and extension in the GUI but another different extension when it is run directly from the program. Other than that, using the “Details” view in Explorer can greatly help you to determine the correct file type.Īn older version of WinRAR 4.20 is vulnerable to file name and extension spoofing. Since the Right to Left override character cannot be typed from the keyboard and is only shown in the Character Map program found in Windows, one can simply download a free third party program called BabelMap to generate the RTLO character for copying to clipboard and paste it when renaming a file.įortunately most major web browsers have stepped up to blacklist the right to left override character so that the correct file extensions are shown correctly when a user attempts to download the file with a spoofed extension using the RTLO trick. txt in Explorer, the Windows operating system still recognizes the file as an application. Although the file extension clearly shows as. For example, a notes.exe file can be renamed to notesexe.txt. This trick uses Right to Left unicode to reverse the last six characters so that the extension is spoofed. This is a very old trick and a few antivirus applications like COMODO will warn you when it detects a double extension in a filename.Īn easy solution to prevent you from falling into the double extension trick is to disable the “ Hide extensions for known file types” option from Control Panel > Folder Options > View tab. You can confirm this further by right clicking on the file, selecting Properties from the context menu and viewing the “Type of file” which should show Application (.exe). If you change the view type to “Details”, it shows very clearly in Explorer that the so called notes.txt file is actually an application. As you can see from the example image below, it looks like a normal text file. The next step to make the file look more convincing is to change the file icon to Notepad icon. exe hidden due to the Folder Option setting. The file above is actually an executable file but is shown as notes.txt with the. The problem with this setting is the default option is set to hide and a less careful user can be tricked when there is a double extension. There is a setting in Folder Options where you can hide the file extension so that only the filename is visible in Explorer while the extension is hidden. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |