[German]A vulnerability CVE-2022-29072 (heap overflow) exists in the 7-Zip application up to version 21.07, which allows privilege escalation on Windows. This could allow an attacker to gain system privileges and then compromise the system at will. Here is some information about it. Addendum: Seems it was a hoax or a mistake. An extension of privileges, as originally stated by the finder, is (probably) not possible.
Advertising
A few words about 7-Zip
7-Zip is a free and open source packing program licensed under the terms of the LGPL. It is developed by Russian software developer Igor Viktorovich Pavlov, who released the first version of 7-Zip in 1999 and is still actively developing it today (as of Spring 2021), according to Wikipedia. The package or its libraries are used in many software products.
In addition to .zip archives, the archive manager also supports other packer formats commonly used under Windows, such as .rar, .arj or .lzh. In the blog post Security-Risk: Avoid 7-Zip I had pointed out the problem of security issues in 7-Zip, and disclosed some details that make the use of 7-Zip questionable after all.
I myself use the tool in a portable version on my computer – but use it only very rarely and very restrictively. However, I can't avoid the tool completely, because I can use it, for example, to directly display the contents of an .iso file (image of a CD or DVD) or a .vhd file (virtual drive without mounting). Unpacking Microsoft's update packages is also done quickly with 7-Zip. And it supports the rar format archives created by the paid WinRAR. But one must always be aware of the risk of walking into a trap when unpacking an archive with malicious content.
Vulnerability CVE-2022-29072
I already came across this issue at Easter via the following tweet, which is described in more detail in this GitHub post. In the meantime, several blog readers have already pointed out the issue to me via various channels (thanks for that).
Advertising
Addendum: The guy who discoverd the 0.day tricked us out. The first GitHub description has been written in English. A couple of minutes ago, the post hast been updated and it's now in Turkish. I've saved an English copy here.
7-Zip allows privilege escalation and command execution on Windows up to version 21.07 when a file with a .7z extension is dragged into the Help>Contents pane. Specifically, the zero-day vulnerability contained in the 7-zip software is based on a 7z.dll misconfiguration and heap overflow.
After installing the 7-zip software, there are 7-zip.chm helper files in the program directory, the contents of which are executed via the Windows HTML helper function (hh.exe). An attacker can, thanks to the heap overflow in 7zFM.exe and the command execution function in hh.exe, and the finder of the vulnerability claims also it's possible to achieve elevation of privileges to administrator privileges through command injection. This requires dragging a file with the .7z extension to the Help>Content section.
The person who found the vulnerability demonstrates how to exploit the vulnerability in a video linked on Github and recommends deleting the 7-zip.chm file (if there is no 7-Zip update) to close the vulnerability. If the help file is missing, hh.exe will not be called either. Furthermore, the discoverer of the vulnerability recommends that the program 7-zip (or the files) should only be granted read and execute permissions (i.e. revoke write permissions). Then the files in question cannot be exchanged by attackers. The problem, however, is that if write permission is not granted to all users, the possibility of performing an update is eliminated.
Addendum: On Twitter there is a discussion about the vulnerability, and it seems, that it's not a real vulnerability. It seems, that privilege escalation isn't possible via this attack path.
Advertising
From the available information we know few things:
1) The command execution problem in question is in HTML Help API and not in 7-zip but Microsoft stated it doesn't consider it a vulnerability and thus won't be fixing it.
2) Kağan Çapar who reported the problem confessed he intends to "sell the exploit" and thus won't be providing info about it to the author of 7-zip: https://sourceforge.net/p/sevenzip/bugs/2337/#1a91 , https://sourceforge.net/p/sevenzip/bugs/2337/#435b and https://sourceforge.net/p/sevenzip/bugs/2337/?page=1#0fd4
3) The "specially crafted .7z file" he demonstrates for code execution is in fact a HTML file that executes a command under the current user account privileges: https://github.com/kagancapar/CVE-2022-29072/blob/main/command-exec-basic-7zip/7zip.html
4) No Proof of Concept of privilege escalation claim was shared despite his initial promise to do so, making his claim a suspect: https://github.com/kagancapar/CVE-2022-29072/blob/main/privilege-escalation-7zip/7zip.txt
5) Many people have disputed the problem: https://sourceforge.net/p/sevenzip/discussion/45797/thread/65ce9ab4cb/#1269