7-Zip zero-day vulnerability grants privilege escalation

Daniel Sims

Posts: 453   +18
Staff
PSA: A security researcher recently discovered a vulnerability in the file archiver 7-Zip that could grant attackers high privileges and let them execute code. Developers haven't released a patch yet, but users can quickly nullify this security hole in the meantime.

Last week, researcher Kağan Çapar found and published a zero-day vulnerability in 7-Zip that can grant privilege escalation and command execution. Designated CVE-2022-29072, it affects Windows users running version 21.07 — the latest version as of now.

As the video below shows, an attacker with limited access to a system can activate the vulnerability by opening the "Help" window in 7-Zip under Help->Contents and dragging a file with the .7z extension into that window. Any file with that extension will work. It doesn't have to be a real 7z archive.

By running a child process under the 7zFM.exe process, the vulnerability can elevate the attacker's privileges and let them run commands on the target system. Çapar blames this on a misconfiguration in the file 7z.dll and heap overflow.

The Windows HTML helper file may also share some blame, as other programs can allow command execution through it. Çapar mentions a similar vulnerability that works through the Windows HTML helper file and WinRAR.

Deleting the file "7-zip.chm" in the 7-Zip root folder can mitigate the issue until devs patch it. It's unclear when that will be.

Permalink to story.

 

kiwigraeme

Posts: 1,041   +772
7Zip - seems to have a few super powers - if you import a file = maybe an apple one - sometimes - windows can't delete it or rename it , move it etc - yet open file in 7Zip allows you to rename it - so it behaves normally - maybe someone knows an easier way - but it's very annoying having such files existing.
7Zip is on lots of PCs - still need limited access
 
I was unable to duplicate this on Windows 11
1) copied cmd.exe to my desktop and renamed cmd.7z
2) Opened 7-Zip (v21.07)
3) Opened help > contents
4) Dragged cmd.7z to the help window
5) System asked me if I wanted to save or find an application to open it with
6) I was not able to open the file as Windows could not identify the correct software
 

Plutoisaplanet

Posts: 694   +1,089
7Zip - seems to have a few super powers - if you import a file = maybe an apple one - sometimes - windows can't delete it or rename it , move it etc - yet open file in 7Zip allows you to rename it - so it behaves normally - maybe someone knows an easier way - but it's very annoying having such files existing.
7Zip is on lots of PCs - still need limited access
It’s not rocket science. An application can acquire a lock on a file (which they might do when they have a file open). When closing 7-Zip, the file should become writable again. If you want to find out which program has a lock on a file, Windows supports this natively too. Open up the “Resource Monitor”, go to the CPU tab and under the “associated handles” pane search for the file by its filename. This lets you view/kill the task locking the file so you can manipulate the file again.

resource-monitor.width-800.png
 

kiwigraeme

Posts: 1,041   +772
It’s not rocket science. An application can acquire a lock on a file (which they might do when they have a file open). When closing 7-Zip, the file should become writable again. If you want to find out which program has a lock on a file, Windows supports this natively too. Open up the “Resource Monitor”, go to the CPU tab and under the “associated handles” pane search for the file by its filename. This lets you view/kill the task locking the file so you can manipulate the file again.

resource-monitor.width-800.png
Thanks for that - I understand when a file is open -I and have use task manager to close app - sometimes I just reboot machine - but your advice helps - My point is different - say you import a file with a space as the leading letter in the name . MS doesn't like it - you can not normally save such a file - but you can download a file from another system where that is allowable - then MS lets the file exist - but hard to say rename or delete it
 

Aceseven

Posts: 315   +398
Seems odd that instead of just giving a warning about something like this, you also announce there's no current fix, what it works on and give the steps to execute it...
 

bviktor

Posts: 847   +1,264
I'm sorry but if it's technically possible to implement a DLL and a CHM file in any location, that a user can use to gain root privileges, it's not a DLL or CHM issue, but clearly an OS one that needs immediate patching. If 7-Zip can implement such a sechole, because the OS allows for it, so can anyone else.