[German]Another information for users of the packing program 7-Zip. Older versions of the packer available for various platforms have security vulnerabilities. An update should be carried out as soon as possible.
7-Zip is a packer tool that supports different archive formats and is available for Windows and Linux – as well as unofficially for macOS. German blog reader Ralf H. informed me a few hours ago about the program’s security problems (thanks for that).
In Dave’s blog landave.io there is a post 7-Zip: Multiple Memory Corruptions via RAR and ZIP reporting the details. Dave found two vulnerabilities in 7-Zip in versions before 18.00.
Memory Corruption in RAR (CVE-2018-5996)
The RAR code of 7-Zip is mostly based on a current UnRAR version. PPMd, an implementation of Dmitry Shkarin’s PPMII compression algorithm, can be used for version 3 of the RAR format.
Dave has now found a vulnerability in the implementation of the unpacking routine. This can be used to compromise memory (memory corruption). In the blog post, Dave says that the 7-Zip binary files for Windows were compiled without the compiler flags /NXCOMPAT and /DYNAMICBASE. This means that 7-Zip runs on all Windows systems without ASLR. And DEP is enabled only on 64-bit Windows systems as well as in the 32-bit version of Windows 10. For example, the following screenshot shows the latest version of 7-Zip 18.00 running on a fully updated Windows 8.1 x86:
There you can see that DEP has been permanently deactivated. In addition, 7-Zip is compiled without the /GS flag, so there is no stack monitoring. Dave discussed this topic with Igor Pavlov (the developer of 7-Zip) and tried to convince him to activate all three flags. Pavlov, however, refused to activate /DYNAMICBASE.
Background: He prefers to create the binary files without a relocation table in order to achieve a minimum binary size. It also does not want to activate /GS, as it could affect the runtime and binary size. At least he will try to activate /NXCOMPAT for the next version. Apparently, it is currently not activated because 7-Zip is linked to an outdated linker that does not support the flag.
Because there are different ways for attackers to corrupt the stack and heap, using it for remote code execution is straightforward, especially when no DEP is used.
Heap Buffer Overflow (CVE-2017-17969)
The ZIP part of the program contains a heap buffer overflow vulnerability in the LZW shrink routine. The relevant routine for the shrink decoder of 7-Zip was written by Igor Pavlov in 2005. The vulnerability seems to be in the code since then.
Update to version 18.01
According to the information in the blog post, both bugs were closed in 7-Zip version 18.00 beta. Currently the 7-Zip download page offers version 18.01. If you are using 7-Zip portable, download and unpack version 18.01.