{"id":4829,"date":"2018-01-30T07:12:22","date_gmt":"2018-01-30T06:12:22","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=4829"},"modified":"2018-01-30T07:15:33","modified_gmt":"2018-01-30T06:15:33","slug":"7-zip-vulnerable-update-to-v18-0-1","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2018\/01\/30\/7-zip-vulnerable-update-to-v18-0-1\/","title":{"rendered":"7-Zip vulnerable &ndash; update to version 18.01"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"http:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2018\/01\/30\/7-zip-mit-sicherheitslcken-updaten\/\" target=\"_blank\">German<\/a>]Another information for users of the packing program 7-Zip. Older versions of the packer available for various platforms have security vulnerabilities. An update should be carried out as soon as possible.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/ssl-vg03.met.vgwort.de\/na\/1f7480a89fdf43e2be6dd2e05cd78166\" width=\"1\" height=\"1\">7-Zip is a packer tool that supports different archive formats and is available for Windows and Linux &#8211; as well as unofficially for macOS. German blog reader Ralf H. informed me a few hours ago about the program's security problems (thanks for that).<\/p>\n<p>In Dave's blog landave.io there is a post <a href=\"https:\/\/landave.io\/2018\/01\/7-zip-multiple-memory-corruptions-via-rar-and-zip\/\" target=\"_blank\">7-Zip: Multiple Memory Corruptions via RAR and ZIP<\/a> reporting the details. Dave found two vulnerabilities in 7-Zip in versions before 18.00.  <\/p>\n<h2>Memory Corruption in RAR (CVE-2018-5996)<\/h2>\n<p>The RAR code of 7-Zip is mostly based on a current UnRAR version. PPMd, an implementation of Dmitry Shkarin's PPMII compression algorithm, can be used for version 3 of the RAR format.  <\/p>\n<p>Dave has now found a vulnerability in the implementation of the unpacking routine. This can be used to compromise memory (memory corruption). In the blog post, Dave says that the 7-Zip binary files for Windows were compiled without the compiler flags \/NXCOMPAT and \/DYNAMICBASE. This means that 7-Zip runs on all Windows systems without ASLR. And DEP is enabled only on 64-bit Windows systems as well as in the 32-bit version of Windows 10. For example, the following screenshot shows the latest version of 7-Zip 18.00 running on a fully updated Windows 8.1 x86:<\/p>\n<p><img decoding=\"async\" title=\"7-Zip im Process Explorer\" alt=\"7-Zip im Process Explorer\" src=\"https:\/\/i.imgur.com\/7ld8Mn3.jpg\">(Source: landave.io)<\/p>\n<p>There you can see that DEP has been permanently deactivated. In addition, 7-Zip is compiled without the \/GS flag, so there is no stack monitoring. Dave discussed this topic with Igor Pavlov (the developer of 7-Zip) and tried to convince him to activate all three flags. Pavlov, however, refused to activate \/DYNAMICBASE. <\/p>\n<p>Background: He prefers to create the binary files without a relocation table in order to achieve a minimum binary size. It also does not want to activate \/GS, as it could affect the runtime and binary size. At least he will try to activate \/NXCOMPAT for the next version. Apparently, it is currently not activated because 7-Zip is linked to an outdated linker that does not support the flag.<\/p>\n<p>Because there are different ways for attackers to corrupt the stack and heap, using it for remote code execution is straightforward, especially when no DEP is used.<\/p>\n<h2>Heap Buffer Overflow (CVE-2017-17969)<\/h2>\n<p>The ZIP part of the program contains a heap buffer overflow vulnerability in the LZW shrink routine. The relevant routine for the shrink decoder of 7-Zip was written by Igor Pavlov in 2005. The vulnerability seems to be in the code since then.  <\/p>\n<h2>Update to version 18.01<\/h2>\n<p>According to the information in the blog post, both bugs were closed in 7-Zip version 18.00 beta. Currently the <a href=\"http:\/\/www.7-zip.org\/download.html\" target=\"_blank\">7-Zip download page<\/a> offers version 18.01. If you are using 7-Zip portable, download and unpack <a href=\"https:\/\/portableapps.com\/apps\/utilities\/7-zip_portable\" target=\"_blank\">version 18.01<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Another information for users of the packing program 7-Zip. Older versions of the packer available for various platforms have security vulnerabilities. An update should be carried out as soon as possible.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,22],"tags":[1247,69,195],"class_list":["post-4829","post","type-post","status-publish","format-standard","hentry","category-security","category-update","tag-7-zip","tag-security","tag-update"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/4829","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=4829"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/4829\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=4829"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=4829"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=4829"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}