A Python-based tool for cloning cabinet file certificates
This tool will extract the certificate off of an indicated cabinet file and use the certificate to build a new cab file with a file of your choosing.
Built-in support for both Linux and Windows as it utilizes lcab and makecab.exe respectively; however, it should be noted that makecab and lcab generate cabs slightly differently and using this tool on Windows may not succeed. Therefore, it is recommended to use Linux.
Usage: CabCloningFactory.py <source cab file> <file to place in archive>
Script running:
File comparision (The file used was a Microsoft signed cab file on one of my boxes):
This tool is not perfect, and depending on the size of the cab file it may clone the signature but corrupt the new data inside. Depending on the type of compression that is used in the source cabinet file, some special header values will be changed as well, and further research and modification of the tool will be necessary to ensure a 100% success rate.
As a form of archive, cabinet files can be used in "Zip Slip" attacks against code or tools that are vulnerable to arbitrary file writes due to archive extraction. Concerns also exist for files that are automatically executed upon extraction.
The integrity of cabinet files are often protected via the use of digital signatures and certificates; however, it is possible to bypass signature and certificate checks through cloning techniques such as this tool.
More details on discovery and implications can be found on my blog entry: (https://k3ramas.blogspot.com/2019/09/the-time-i-chased-cab-file-zip-slip-and.html)