Skip to content

7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area.

License

Notifications You must be signed in to change notification settings

tehseensagar/CVE-2022-29072

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

About 7-zip

7-Zip is free software with open source. The most of the code is under the GNU LGPL license. Some parts of the code are under the BSD 3-clause License. Also there is unRAR license restriction for some parts of the code. Read 7-Zip License information.

You can use 7-Zip on any computer, including a computer in a commercial organization. You don't need to register or pay for 7-Zip.

CVE-2022-29072

7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area.

The zero-day included in 7-zip software is based on misconfiguration of 7z.dll and heap overflow. After the installation of 7-zip software, the help file in the HELP > contents content works through the Windows HTML Helper file, but after the command injection, a child process appeared under the 7zFM.exe process,

childproces

which is seen after the command injection, which is quite interesting, after this situation, 7-zip with WinAFL The fuzzing process was carried out. Thanks to the overflow vulnerability and wrong authorization based on the heap, it was noticed that when the process injection technique was applied (in memory) by using the powers of the 7z.dll file and the command prompt was called again, it was authorized on cmd.exe with the administrator mode. In the payload developed after this process, the psexec.exe file was used as raw;

NT AUTHORITY\SYSTEM privilege has been accessed thanks to the command "psexec -s cmd.exe -nobanner".

At this stage, 7-zip stated that the vulnerability was caused by hh.exe, but they were told that if there was a command injection from hh.exe, a child process should be created under hh.exe, so especially the heap-overflow side of this vulnerability will not be shared with the community.

To look at the discovery phase of the vulnerability;

As it is known, Microsoft HELPER ie hh.exe file "html help. full name microsoft html help executable. Program that opens help files with the chm extension." has been defined as. Many operations such as XXE, Command Execution are performed through the hh.exe file. It is possible to see vulnerabilities such as XXE or command execution in every program that uses the hh.exe interface. This issue came to my mind after the discovery of the XXE vulnerability detected by WinRAR. (https://www.exploit-db.com/exploits/47526) Although the developers of 7-zip say that Microsoft should fix the command execution authority obtained from hh.exe at this point, it has been observed that at the end of the day, thanks to the heap overflow in 7zFM.exe and the command execution feature in hh.exe, privilege elevation is provided in the administrator mode.

poc video:

priv1.mp4

Mitigations

first method: If 7-zip does not update, deleting the 7-zip.chm file will be sufficient to close the vulnerability.

second method: The 7-zip program should only have read and run permissions. (For all users)

About

7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • HTML 100.0%