7-Zip App Vulnerability Grants Admin Privilege to Attackers (Update) (2024)

7-Zip App Vulnerability Grants Admin Privilege to Attackers (Update) (1)

Update 4/20/2022 7:50amPT: The listed 7zip CVE-2022-29072 vulnerability has now been marked as "disputed" in the official listing, and "multiple third parties have reported that no privilege escalation can occur." According to Google Project Zero vulnerability researcher Tavis Ormandy who alerted us to the dispute, this exploit could only occur by editing the registry and possibly other maneuvers (like adding another Local Administrator account). However, the description isn't clear enough to discern the method of attack. We'll keep you updated if the dispute is granted.

Original Article:

A vulnerability has been discovered in 7-zip, the popular archiving program. This is an active zero-day vulnerability and is characterized as allowing privilege escalation and command execution. In other words, someone with limited access to your computer would be able to gain higher-level control, usually admin access, to run commands or apps. GitHub user Kagancapar seems to have unearthed this 7-zip Windows vulnerability, and it has reference CVE-2022-29072.

7-zip is a cross-platform app, but this vulnerability is tied to Windows, as it relies on 7-zip's interactivity with the Windows help application, hh.exe. For example, the GitHub readme file for CVE-2022029072 surmises "Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area."

The clip above shows the vulnerability discoverer dropping a specially crafted file with a .7z extension (mimicking the 7-zip file extension) onto the 7-zip help window and running a command in admin mode. This looks like quite a simple way to gain higher-level access to a system and run commands and apps that might otherwise be off-limits.

Kagancapar provided some enlightening background information on the vulnerability and its discovery. First, they mention that 7-zip isn't entirely happy to shoulder the blame for this vulnerability, as it seems dependent on the Microsoft Help system. However, the dropping of the custom .7z extension file on the Help window causes a heap overflow in 7zFM.exe and resulting privilege elevation – so that means 7-zip authors should accept part of the blame.

7-Zip App Vulnerability Grants Admin Privilege to Attackers (Update) (2)

At the time of writing the current version of 7-zip for Windows, v21.07, is not patched for the vulnerability demonstrated in the video. If the vulnerability is of concern to you, with regard to your personal computer or systems you administer, please take some comfort from two easy ways to mitigate the issue:

  • First method: If 7-zip does not update, deleting the 7-zip.chm file will be sufficient to close the vulnerability.
  • Second method: The 7-zip program should only have read and run permissions. (For all users)

7-zip broke the hegemony of the skinflint guilt-inducing shareware compression staples WinZip and WinRAR in the noughties. After a few years of refinement, it was given a Tom's Hardware Elite Award for compression speed, ratio, and size back in 2013. As well as being totally free for personal or business use, 7-zip charms with its cross platform nature and portability.

Stay On the Cutting Edge: Get the Tom's Hardware Newsletter

Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.

Mark Tyson is a news editor at Tom's Hardware. He enjoys covering the full breadth of PC tech; from business and semiconductor design to products approaching the edge of reason.

More about cyber security

Hackers breach Wi-Fi network of U.S. firm from Russia — daisy chain attack jumps from network to network to gain access from thousands of miles awayD-Link has another security flaw with older equipment that won't be repaired — D-Link told users to replace outdated NAS last week

Latest

Alleged Nvidia RTX 5090D China-specific GPU artwork shared by leaker — Card expected to leverage a cut-down GB202 die to circumvent US export sanctions
See more latest►

8 CommentsComment from the forums

  • digitalgriffin

    What end user would drop a .7z file on a windows help program?

    Reply

  • digitalgriffin said:

    What end user would drop a .7z file on a windows help program?

    One who's working on a shared/work/school computer?

    Reply

  • Electrichead

    Its not just any .7z file. Looks like an executable that is specifically designed to elevate privileges wrapped up in a 7z file.

    Reply

  • stealth006

    The mitigation steps don't quite make sense to me, because if someone really wanted to exploit this, they would just have to download the affected 7zip executable, the affected chm file, and the specifically crafted 7z file to any system, and voila. So that means there really is no mitigation to this other than, maybe, application blacklisting?

    Am I missing something?

    Expanding on the above, that means it would be far easier for someone to create a malicious dll file that explots the inherent vulnerability in Microsoft's CHM system, and then you have an exploit that doesn't depend on 7zip at all. This means that the vulnerability isn't really with 7zip at all, but with Microsoft, and there is no type of mitigation until Microsoft patches it.

    Reply

  • mo_osk

    stealth006 said:

    Am I missing something?

    Maybe the attack only works if 7fm.exe is in the program files folder?

    Reply

  • passivecool

    I've has several attack attempts recently, with 7z attachments in emails. Sometimes outlandish, sometimes almost admirably refined; I run a couple of businesses so some very strange correspondence can turn out to be legitimate. I figured it was ransomware but could have been this as well.

    Reply

  • wujj123456

    stealth006 said:

    The mitigation steps don't quite make sense to me, because if someone really wanted to exploit this, they would just have to download the affected 7zip executable, the affected chm file, and the specifically crafted 7z file to any system, and voila. So that means there really is no mitigation to this other than, maybe, application blacklisting?

    Am I missing something?

    Expanding on the above, that means it would be far easier for someone to create a malicious dll file that explots the inherent vulnerability in Microsoft's CHM system, and then you have an exploit that doesn't depend on 7zip at all. This means that the vulnerability isn't really with 7zip at all, but with Microsoft, and there is no type of mitigation until Microsoft patches it.

    Depends on the threat model, whether you consider your end user trusted or not. This is largely true for all local privilege escalation vulnerabilities.

    If you assume the local user is malicious, then you are totally right. People can actively write exploits, let alone copying some vulnerable binary to trigger some known exploit. The fix has to be the root cause that would prevent escalation even with a vulnerable application, or generic mitigation like application blacklisting, signature detection or application sandboxing. If 7-zip doesn't have admin privilege to begin with, whatever bug it has shouldn't have allowed it to obtain the privilege. After all, it could have been an actual exploit, not a buggy application.

    On the other hand, most of time the actual user may be the victim, and it's the hacker trying to trick them into triggering the vulnerability attempting to gain admin privilege. In those cases, patching the trigger is helpful and widely used applications are common attack surface. This angle just happens to be rather weak here, because who would normally drag a file to help window? Perhaps only when tricked by social engineering to do so. It's probably easier to trick someone into allowing your excel macro than dragging a suspicious file to help window. ¯\(ツ)

    Reply

  • rugupiruvu

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29072

    NOTE: multiple third parties have reported that no privilege escalation can occur.

    ¯\(ツ)/¯ Fishy.

    Reply

Most Popular
Taiwan gets slammed with 15,000 cyber attacks per second — Minister notes figure is 4X more than average
Linux update adds support for 128 terabyte SD cards— SDUC and UHS-II SD cards are now supported
Jensen says solving AI hallucination problems is 'several years away,' requires increasing computation
Microsoft temporarily halts Windows 11 24H2 update on PCs with select Ubisoft games — avoiding frequent freezing and black screen glitches in modern Assassin's Creed, Star Wars, and Avatar titles
Intel Arc B580 Battlemage GPU specs leaked in accidental retailer listing — Arc B580 features PCIe 5.0 x8 interface, 12GB GDDR6, and 192-bit memory interface
Threadripper 9000 CPUs spotted with 16 to 96 Zen 5 cores — Shimada Peak expected to max out at 350W
MagSafe-like detachable Ethernet cable debuts — Cat6 cables available up to 10 GbE
Raspberry Pi RP2040 matrix lets you play classic Snake game
Chinese desktop PC chipmaker Loongson now has chips running the Tiangong Space Station
TSMC 1.6nm update: Tangible improvements, but new challenges emerge
'The Mountain' deadlifts a record-breaking 283PB of storage at SC24 — picks up 996 pounds (452kg) of Phison 128TB SSDs
7-Zip App Vulnerability Grants Admin Privilege to Attackers (Update) (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Arielle Torp

Last Updated:

Views: 6398

Rating: 4 / 5 (41 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Arielle Torp

Birthday: 1997-09-20

Address: 87313 Erdman Vista, North Dustinborough, WA 37563

Phone: +97216742823598

Job: Central Technology Officer

Hobby: Taekwondo, Macrame, Foreign language learning, Kite flying, Cooking, Skiing, Computer programming

Introduction: My name is Arielle Torp, I am a comfortable, kind, zealous, lovely, jolly, colorful, adventurous person who loves writing and wants to share my knowledge and understanding with you.