Update 4/20/2022 7:50amPT: The listed 7zip CVE-2022-29072 vulnerability has now been marked as "disputed" in the official listing, and "multiple third parties have reported that no privilege escalation can occur." According to Google Project Zero vulnerability researcher Tavis Ormandy who alerted us to the dispute, this exploit could only occur by editing the registry and possibly other maneuvers (like adding another Local Administrator account). However, the description isn't clear enough to discern the method of attack. We'll keep you updated if the dispute is granted.
A vulnerability has been discovered in 7-zip, the popular archiving program. This is an active zero-day vulnerability and is characterized as allowing privilege escalation and command execution. In other words, someone with limited access to your computer would be able to gain higher-level control, usually admin access, to run commands or apps. GitHub user Kagancapar seems to have unearthed this 7-zip Windows vulnerability, and it has reference CVE-2022-29072.
7-zip is a cross-platform app, but this vulnerability is tied to Windows, as it relies on 7-zip's interactivity with the Windows help application, hh.exe. For example, the GitHub readme file for CVE-2022029072 surmises "Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area."
The clip above shows the vulnerability discoverer dropping a specially crafted file with a .7z extension (mimicking the 7-zip file extension) onto the 7-zip help window and running a command in admin mode. This looks like quite a simple way to gain higher-level access to a system and run commands and apps that might otherwise be off-limits.
Kagancapar provided some enlightening background information on the vulnerability and its discovery. First, they mention that 7-zip isn't entirely happy to shoulder the blame for this vulnerability, as it seems dependent on the Microsoft Help system. However, the dropping of the custom .7z extension file on the Help window causes a heap overflow in 7zFM.exe and resulting privilege elevation – so that means 7-zip authors should accept part of the blame.
At the time of writing the current version of 7-zip for Windows, v21.07, is not patched for the vulnerability demonstrated in the video. If the vulnerability is of concern to you, with regard to your personal computer or systems you administer, please take some comfort from two easy ways to mitigate the issue:
- First method: If 7-zip does not update, deleting the 7-zip.chm file will be sufficient to close the vulnerability.
- Second method: The 7-zip program should only have read and run permissions. (For all users)
7-zip broke the hegemony of the skinflint guilt-inducing shareware compression staples WinZip and WinRAR in the noughties. After a few years of refinement, it was given a Tom's Hardware Elite Award for compression speed, ratio, and size back in 2013. As well as being totally free for personal or business use, 7-zip charms with its cross platform nature and portability.