CVE-2022-29072 7-Zip through 21.07 may allow privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.

CVE-2022-29072 7-Zip through 21.07 may allow privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.

However, once a user has been authenticated this becomes an elevation of privilege because the parent 7zFM.exe process has access to the file contents. 7-Zip through 21.07 on Windows is vulnerable to command injection when a user drags a .7z file to the Help>Contents area. For example, a user can drag a .7z file to the "Instruction" menu to execute arbitrary code. This is a heap overflow and the attacker needs to supply a large amount of data. CVE-2018-1087 7-Zip through 21.07 on Windows is vulnerable to command injection when a user drags a .7z file to the "Instruction" menu. For example, a user can drag a .7Z file to the "Instruction" menu to execute arbitrary code. This is a heap overflow and the attacker needs to supply a large amount of data. CVE-2018-1087 7-Zip through 21.07 on Windows is vulnerable to path traversal when a user drags a .7z file to the "Instruction" menu. For example, a user can drag a .7Z file to the "Instruction" menu to delete the file. This is a path traversal and the attacker needs to supply a large amount of data. CVE-2018-1087 7-Zip through 21.07 on Windows is vulnerable to path traversal when a user drags a .7z file to the "Instruction" menu

Mitigation Strategies for 7-Zip

In order to mitigate this vulnerability, administrators can restrict access to the help menu. 7-Zip through 21.07 on Windows is also vulnerable to path traversal when a user drags a .7z file to the "Instruction" menu. Administrators should secure access to this menu by removing the "Instruction" menu from their GUI or by disabling its use entirely

Summary ##

The vulnerabilities are due to insufficient input validation from 7-Zip, which allows an attacker to execute arbitrary code.

Version Information

The following versions of 7-Zip through 21.07 on Windows are vulnerable:
7-Zip 9.20 beta
7-Zip 9.21 beta
7-Zip 9.22 beta
7-Zip 9.25 alpha 2
Note that the "Instruction" menu is also vulnerable on Windows 7, 8 and 10 unless a .bat file is used in place of the .7z file, which will not be able to be deleted on those operating systems.

What to do if you are affected?

If you are affected, you need to update your 7-Zip installation to the latest version.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe