#2337 7-zip Code Execution Vulnerability

[Kağan Çapar]

Hello,

While researching vulnerabilities on 7-zip, I noticed that there is a code execution vulnerability. I wanted to convey it to you. You can access the related video below

YouTube Link

[Igor Pavlov]

please write the text description.

[Kağan Çapar]

While searching for vulnerabilities on 7-zip, operations such as command line or reverse shell can be performed thanks to ActiveXObject, which allows to execute commands within the Java script to the contents section under the help title. From here, I noticed that when the XXE vulnerability was occurring, it was run in the command. If you save the code below as html and drag and drop, you will see a powershell open.

<html>
<head>
<HTA:APPLICATION ID="7zipcodeexec">
<script language="jscript">
        var c = "cmd.exe /c powershell.exe";
        new ActiveXObject('WScript.Shell').Run(c);
</script>
</head>
<body>
<script>self.close();</script>
</body>
</html>

[Igor Pavlov]

I don't understand that description.

[Kağan Çapar]

Step-by-step explanation with screenshots.

[Igor Pavlov]

Do you know the way to fix it?

[Kağan Çapar]

It should be closed as follows.

First step: If all the information in the HELP > contents tab is redirected to the 7-zip website, not embedded in the program, the problem will be completely resolved. Nowadays, applications such as Chrome usually provide such steps through their own websites (please see the attached pictures), which is healthier.

Second step: This vulnerability is caused by the 7-zip.chm file located under the 7-zip files, removing it will solve the problem, which again shows that we need to perform the first step.

I will not publish a code until you close this vulnerability, I just think of sharing the executable codes after getting the CVE number. Please feel free to write to me if you need help.

[Igor Pavlov]

Do you mean that any chm file in system is problem?
If so, then why Microsoft can't fix chm viewer?

[Kağan Çapar]

I will report it to them too, but since 7-zip eventually uses this feature, a security vulnerability has emerged. Apart from the fact that it is a situation on the Microsoft side, the fact that this feature is used by 7-zip will be healthier for you if you fix it as I said problem. I don't have any expectations in terms of reward etc.

[Igor Pavlov]

Do you think that there is this "vulnerability" in any chm file?
Did you test it with all another chm files in system and chm files in another programs?

[Kağan Çapar]

Yes, I have tested many of them. I also report the examples I see. Your HELP tab should not use hh.exe, even if it uses it, it should call that exe directly, not from within its own kernel. Let me explain with an example. When you look at the attached image, you will see that powershell.exe is running as a child process under 7-zip. For this reason, you can see that while using hh.exe in the background, it is actually running it from within its internals. For this reason, a potential attacker can provide persistence over 7-zip, links such as backdoors, with a chm or html file on 7-zip. Chm extension is not required.

[Igor Pavlov]

I don't understand your "Chm extension is not required".
Show the problem without that chm file.
I don't uderstand your "HELP tab should not use hh.exe".
there is no "hh.exe" in your screenshot.

Can you see the problem with another chm files without 7-Zip?
If it's so big problem, why it was not fixed still in Windows?

[Kağan Çapar]

It doesn't have to be chm extension, I can show that this vulnerability is working as .7z, .rar or .zip. And yes, it's a vulnerability caused by helper.exe, but 7-zip uses this feature. It poses a risk to users. I just wanted to inform you that I want to publish the exploit video and code.

[Kağan Çapar]

...

[Kağan Çapar]

video clip or screenshot.

[Igor Pavlov]

Please publish text description of problem here in this private thread, instead of video and images.
I still don't understand many aspects of the problem.

[Igor Pavlov]

7-zip uses common API for Help.
So if there is problem, then it's problem of that API and Windows, but not 7-Zip related problem.
So try to separate 7-zip related things of problem from Windows related things of problem.

[Igor Pavlov]

you wrote:

The zero-day included in 7-zip software is based on misconfiguration of 7z.dll and heap overflow

What "heap overflow" and "misconfiguration of 7z.dll" do you mean?

[Kağan Çapar]

Yes. I explained the situation to you, but since this is a zero-day, I didn't want to explain it all, I just pointed out the point where you need to take precautions. There is only one point where the command is run in 7-zip and that is the HELP partition. Thanks to the heap overflow inside, you can switch from normal user to administrator authority. You use this command execution process via Microsoft's hh.exe, but in the end, this command works via 7-zip. If you examine my Github page, you can see that it is running as a child process under 7-zip.

[Igor Pavlov]

I don't understand you actions.
If there is "misconfiguration of 7z.dll" and heap overflow in 7-zip source code, please write me what exact lines of 7-Zip code are related.
We need some way to locate these lines and fix them.

[Kağan Çapar]

First of all, I would like to apologize. Since I am selling the vulnerability for a fee, I can only tell you how to fix the vulnerability on the "execution" side. When 7-zip users press the HELP button, if hh.exe does not access the Windows api, it will not be possible to run commands from within 7-zip. This is enough to fix the vulnerability. Unfortunately, that's all the information I can give you on this subject.

[Igor Pavlov]

So you don't want to help to fix "vulnerability", and you want to get money for that?
7-Zip uses public Microsoft API of Html Help.
Do you thing that Html Help API is wrong and all programs must avoid using that API?
Why?
Or there is another wrong code in 7-Zip?

[Kağan Çapar]

I don't want money from you. I'm not just specifying where the vulnerability is in the source code, but make sure it's not in the Windows API. I was looking for a space where I could run code after I found a vulnerability on 7-zip. I used this function in a hybrid way with the vulnerability I found because it calls the 7-zip HTML Helper file, which turned into a privilege escalation vulnerability. If you use something other than the Windows API and this is not suitable for running code over 7-zip, the vulnerability will not work automatically. I cannot give information about your vulnerability in your source code, but it is impossible to use this vulnerability unless there is a space to run commands. So the immediate solution is to use another API or remove that HELP button.

[Kağan Çapar]

Please review. https://github.com/kagancapar/CVE-2022-29072

[Igor Pavlov]

I still don't understand.
Please write simpler.
Do you know some h / cpp file in 7-zip that contains bug and that can work incorrectly?
But you don't want to point me to that file?
Why?

[Kağan Çapar]

Yes, I know the file and I can't tell you what line it's on, what authorization problem, misspelled syntax, but I can't tell you. Sorry I can't be so helpful. As I said, if you do not use the Windows API (hh.exe), there is no space to run the command and the problem will be solved. The rest is your decision. Good work.