2

Recently, a GitHub user Kağan Çapar discovered a zero-day vulnerability - CVE-2022-29072 - in the Windows archiver 7-zip. According to the GitHub readme for CVE-2029072, "Windows allows privilege elevation and command execution when a file with a .7z extension is dragged to the Help > Content area."

7-zip CVE-2022-29072 zero-day vulnerability

How the 7-zip CVE-2022-29072 zero-day works: a threat actor crafts a malicious file, gives it a .7z extension (which archives compressed with 7-zip can have), and then drags the file Drop into the 7-zip help window and run the command in administrator mode.

It is understood that 7-zip is a cross-platform application. The exposed 7-zip CVE-2022-29072 activity is a zero-day vulnerability, which is characterized by allowing privilege escalation and command execution. The vulnerability is related to Windows because it relies on 7-zip's interaction with the Windows helper application hh.exe.

That is, anyone with limited access to your computer will be able to gain a higher level of control (usually administrator rights) and run commands in administrative mode: by opening 7-Zip's "Help ” window, under Help/Content, drag a file with a .7z extension into the window to activate the exploit (mimicking the 7-zip file extension) (any file with this extension will work, not Must be a real 7z file).

This looks like a very simple way to gain higher-level access to a system and run potentially unrestricted commands and applications, which is no wonder the 7-zip vulnerability is called "giving hackers the keys to the kingdom" .

Kağan Çapar also provided some background information about the vulnerability and its discovery: First, 7-zip shouldn't be entirely happy to take responsibility for the vulnerability, which appears to rely on Microsoft's Help system. However, deleting the custom .7z extension file in the help window resulted in a heap overflow in 7zFM.exe and the resulting privilege escalation - which meant that the 7-zip side was indeed partly responsible.

Vulnerability Patch

It is understood that the latest version of 7-zip is v21.07 released in late December last year, which means that 7-zip has not patched this 7-zip CVE-2022-29072 zero-day vulnerability.

On April 20, Google Project Zero Vulnerability Researcher Tavis Ormandy reminded that the 7zip CVE-2022-29072 vulnerability is now marked as "controversial" on its official list, and "multiple third parties have reported that privilege escalation cannot occur."

According to Tavis Ormandy, the vulnerability can only be exploited by editing the registry and possibly other actions, such as adding another local administrator account. However, the description is not clear enough to identify the attack method. "If the dispute is approved, we will promptly notify you".

For this vulnerability, relevant Google researchers have given two simple methods to mitigate the problem:

Method 1: If 7-zip is not updated, deleting the 7-zip.chm file is sufficient to close the vulnerability.
Method 2: Grant 7-zip read-only and run permissions (for all users).

Of course, if you don't want to choose the above two ways, you can also directly wait for the developers on 7-zip to patch the patch.

As one of the three most popular file archiving applications, 7-zip broke the "hegemony" of the shareware compression staples WinZip and WinRAR that swept the world in the 1990s. After several years of improvements, 7-zip won the "Tom's Hardware Elite Award" in 2013 for compression speed, ratio and size. 7-zip is not only completely free for personal or business use, but also cross-platform and portable.


MissD
955 声望40 粉丝