CVE-2022-29072 7-Zip through 21.07 may allow privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.

However, once a user has been authenticated this becomes an elevation of privilege because the parent 7zFM.exe process has access to the file contents. 7-Zip through 21.07 on Windows is vulnerable to command injection when a user drags a .7z file to the Help>Contents area. For example, a user can drag a .7z file to the "Instruction" menu to execute arbitrary code. This is a heap overflow and the attacker needs to supply a large amount of data. CVE-2018-1087 7-Zip through 21.07 on Windows is vulnerable to command injection when a user drags a .7z file to the "Instruction" menu. For example, a user can drag a .7Z file to the "Instruction" menu to execute arbitrary code. This is a heap overflow and the attacker needs to supply a large amount of data. CVE-2018-1087 7-Zip through 21.07 on Windows is vulnerable to path traversal when a user drags a .7z file to the "Instruction" menu. For example, a user can drag a .7Z file to the "Instruction" menu to delete the file. This is a path traversal and the attacker needs to supply a large amount of data. CVE-2018-1087 7-Zip through 21.07 on Windows is vulnerable to path traversal when a user drags a .7z file to the "Instruction" menu

Mitigation Strategies for 7-Zip

In order to mitigate this vulnerability, administrators can restrict access to the help menu. 7-Zip through 21.07 on Windows is also vulnerable to path traversal when a user drags a .7z file to the "Instruction" menu. Administrators should secure access to this menu by removing the "Instruction" menu from their GUI or by disabling its use entirely

Summary ##

The vulnerabilities are due to insufficient input validation from 7-Zip, which allows an attacker to execute arbitrary code.

Version Information

The following versions of 7-Zip through 21.07 on Windows are vulnerable:
7-Zip 9.20 beta
7-Zip 9.21 beta
7-Zip 9.22 beta
7-Zip 9.25 alpha 2
Note that the "Instruction" menu is also vulnerable on Windows 7, 8 and 10 unless a .bat file is used in place of the .7z file, which will not be able to be deleted on those operating systems.

What to do if you are affected?

If you are affected, you need to update your 7-Zip installation to the latest version.

Exploit

# Exploit Title: 7-zip - Code Execution / Local Privilege Escalation
# Exploit Author:  Kağan Çapar
# Date: 2020-04-12
# Vendor homepage: https://www.7-zip.org/
# Software link: https://www.7-zip.org/a/7z2107-x64.msi
# Version: 21.07 and all versions
# Tested On: Windows 10 Pro (x64)
# References: https://github.com/kagancapar/CVE-2022-29072

# About:
7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area.

# Proof of Concept:
<html>
<head>
<HTA:APPLICATION ID="7zipcodeexec">
<script language="jscript">
var c = "cmd.exe";
new ActiveXObject('WScript.Shell').Run(c);
</script>
<head>
<html>

Timeline

Published on: 04/15/2022 20:15:00 UTC
Last modified on: 04/25/2022 18:53:00 UTC

References

• https://sourceforge.net/p/sevenzip/bugs/2337/
• https://www.youtube.com/watch?v=sT1cvbu7ZTA
• https://github.com/kagancapar/CVE-2022-29072
• https://news.ycombinator.com/item?id=31070256
• http://packetstormsecurity.com/files/166763/7-Zip-21.07-Code-Execution-Privilege-Escalation.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29072