News 7-Zip App Vulnerability Grants Admin Privilege to Attackers

[Admin]

Vulnerability allows for privilege escalation and command execution on Windows systems. The easiest mitigation measure, while we wait for a fix, is to delete the 7-zip.chm file.

7-Zip App Vulnerability Grants Admin Privilege to Attackers : Read more

 

[digitalgriffin]

What end user would drop a .7z file on a windows help program?

 

[Deleted member 1353997]

What end user would drop a .7z file on a windows help program?

One who's working on a shared/work/school computer?

 

[Electrichead]

Its not just any .7z file. Looks like an executable that is specifically designed to elevate privileges wrapped up in a 7z file.

 

[stealth006]

The mitigation steps don't quite make sense to me, because if someone really wanted to exploit this, they would just have to download the affected 7zip executable, the affected chm file, and the specifically crafted 7z file to any system, and voila. So that means there really is no mitigation to this other than, maybe, application blacklisting?

Am I missing something?

Expanding on the above, that means it would be far easier for someone to create a malicious dll file that explots the inherent vulnerability in Microsoft's CHM system, and then you have an exploit that doesn't depend on 7zip at all. This means that the vulnerability isn't really with 7zip at all, but with Microsoft, and there is no type of mitigation until Microsoft patches it.

 

[mo_osk]

Am I missing something?

Maybe the attack only works if 7fm.exe is in the program files folder?

 

[passivecool]

I've has several attack attempts recently, with 7z attachments in emails. Sometimes outlandish, sometimes almost admirably refined; I run a couple of businesses so some very strange correspondence can turn out to be legitimate. I figured it was ransomware but could have been this as well.

 

[wujj123456]

The mitigation steps don't quite make sense to me, because if someone really wanted to exploit this, they would just have to download the affected 7zip executable, the affected chm file, and the specifically crafted 7z file to any system, and voila. So that means there really is no mitigation to this other than, maybe, application blacklisting?

Am I missing something?

Expanding on the above, that means it would be far easier for someone to create a malicious dll file that explots the inherent vulnerability in Microsoft's CHM system, and then you have an exploit that doesn't depend on 7zip at all. This means that the vulnerability isn't really with 7zip at all, but with Microsoft, and there is no type of mitigation until Microsoft patches it.

Depends on the threat model, whether you consider your end user trusted or not. This is largely true for all local privilege escalation vulnerabilities.

If you assume the local user is malicious, then you are totally right. People can actively write exploits, let alone copying some vulnerable binary to trigger some known exploit. The fix has to be the root cause that would prevent escalation even with a vulnerable application, or generic mitigation like application blacklisting, signature detection or application sandboxing. If 7-zip doesn't have admin privilege to begin with, whatever bug it has shouldn't have allowed it to obtain the privilege. After all, it could have been an actual exploit, not a buggy application.

On the other hand, most of time the actual user may be the victim, and it's the hacker trying to trick them into triggering the vulnerability attempting to gain admin privilege. In those cases, patching the trigger is helpful and widely used applications are common attack surface. This angle just happens to be rather weak here, because who would normally drag a file to help window? Perhaps only when tricked by social engineering to do so. It's probably easier to trick someone into allowing your excel macro than dragging a suspicious file to help window. ¯\(ツ)/¯

 

[rugupiruvu]

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29072

NOTE: multiple third parties have reported that no privilege escalation can occur.

¯\(ツ)/¯ Fishy.