Buy WinRAR. 7zip + HTML Help wombo combo potentially allows privilege escalation

[WhitetailAni]

Summary

According to Kağan Çapar, a Turkish security researcher, an exploit using Microsoft's HTML helper program hh.exe, ActiveX controls, and 7zip allows privilege escalation because ActiveX controls if a specially crafted .7z file is dragged over 7zip's "help" window. Even though ActiveX was last released in 2013 and is officially deprecated, they're still use in hh.exe. Because Microsoft.

Kağan notes that it's possible to fix this by deleting the .chm file where 7zip has been installed.

 

However, the CVE website notes that other third parties have checked and noted that no privilege escalation has occurred, and as such the CVE is labeled "Disputed".

Quotes

Quote

When utilizing 7-Zip's help menu, it executes the hh.exe, which can still run and use ActiveX objects. If you attempt to drag a .7z extension file to that window that appears, after malware or an attacker has run their piece to unlock the nasty potential of elevated access, it can potentially open up a command prompt with elevated administrator access. This is displayed in the video made by Kağan Çapar, a security researcher from Turkey.

Quote

Kağan does state in his GitHub, which outlines the vulnerability, that he will not publish the details of the exploit until after the issue is patched by the 7-Zip developers. No action has been taken yet, unfortunately. He does, however, go on to say that the bug report has been issued to 7-Zip developers, and that its CVE-2022-29072 designation has been submitted to security reporting web sites.

Quote

NOTE: multiple third parties have reported that no privilege escalation can occur.

My thoughts

I'm curious how this was stumbled upon. It's cool, but realistically how many will be impacted?

Most of the uses will likely be students looking to get around restrictions on school computers.

Sources

https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2022-29072

https://www.tomshardware.com/news/7-zip-zero-day-exploit

https://hothardware.com/news/7-zip-security-flaw-grants-full-admin-rights

[wanderingfool2]

Overall not sure how big of a deal this will be.

 

Not sure how many corps actually use 7-zip as their daily driver...I'd imagine most get along with just Windows compression software.  While the school use-case might be a thing, not sure how many schools would also run 7-zip; and fortunately I think this would have very limited usecases which most people and corporations wouldn't have to worry about...with needing physical access to the computer and already logged in anyways

[Rauten]

<tinfoil hat>

Clearly this is a ploy by the WinRAR developer to get people to finally pay for his product!!

</tinfoil hat>

[rcmaehl]

<snip>

 

Saw you already noted that in the OP. Good job. To be fair hh needs to be discontinued, it's old as hell. Web documentation or a local PDF will work fine. 

[rcmaehl]

16 minutes ago, wanderingfool2 said:

Overall not sure how big of a deal this will be.

 

Not sure how many corps actually use 7-zip as their daily driver...I'd imagine most get along with just Windows compression software.  While the school use-case might be a thing, not sure how many schools would also run 7-zip; and fortunately I think this would have very limited usecases which most people and corporations wouldn't have to worry about...with needing physical access to the computer and already logged in anyways

I worked for an outsourcing helpdesk for 6 years, and a direct IT hire for a few companies since. The mass majority of companies I'm aware of use 7zip. Not always deployed with the image, but at the very least available in software center. (Including at least 1 DoD Contractor)

[wanderingfool2]

19 minutes ago, rcmaehl said:

I worked for an outsourcing helpdesk for 6 years, and a direct IT hire for a few companies since. The mass majority of companies I'm aware of use 7zip. Not always deployed with the image, but at the very least available in software center. (Including at least 1 DoD Contractor)

Yea, quite honestly I haven't worked in enough places to properly tell.

 

My last place of work we didn't use 7zip and the prior one we shelled out for winrar.  Everywhere I worked, we haven't used 7zip...except as a standalone program occasionally...but sounds like this is a vulnerability with 7-zip (and maybe some of the services running in admin mode) so I would suspect the standalone version wouldn't be affect.  I do concede though that many places might still have this

[darknessblade]

And what effect does this have on PC's that use multiple accounts?

 

Like

1 admin account that is only used when installing a new game/program

and 

1+ user accounts without admin rights. for daily use.

 

Would a admin_CMD prompt not request for a password beforehand?

 

There is too much missing information. and the video  they used is waay to slow, and does not show ESSENTIAL information, like if the used account is already a admin account or not.

[TetraSky]

2 hours ago, FakeKGB said:

if a specially crafted .7z file is dragged over 7zip's "help" window

I have not once opened the Help window of 7zip... Didn't even know it had one.

But I guess as long as I'm not dumb enough to do this, all will be fine.

[porina]

If confirmed then it would seem to be an extremely niche exploit to get the pieces in place.

 

I've moved to 7zip as my main compressed file manager for a long time. So long, I can't even remember what I used before that. In the ancient times of the internet I do recall using WinRAR because it was most commonly used format to distribute pirated software at the time. I have no idea what's used these days. In business zips were used I guess because of widest compatibility. Zip feels ancient though, used pkzip and also in that era lha (lzh) which was common for files from Japan.

[dalekphalm]

I will definitely not be buying WinRAR - it was a decent program back in the day, and I'm sure it's still fine - but 7zip is pretty much perfect.

 

Hopefully the exploit will get patched soon though.

[poochyena]

2 hours ago, wanderingfool2 said:

Overall not sure how big of a deal this will be.

 

Not sure how many corps actually use 7-zip as their daily driver...I'd imagine most get along with just Windows compression software.  While the school use-case might be a thing, not sure how many schools would also run 7-zip; and fortunately I think this would have very limited usecases which most people and corporations wouldn't have to worry about...with needing physical access to the computer and already logged in anyways

7zip is very common. adding 7zip to a computer is about as common as adding firefox or chrome to a computer. Not something you'll see on every public/work/school computer, but its certainly not uncommon

[Zodiark1593]

32 minutes ago, porina said:

If confirmed then it would seem to be an extremely niche exploit to get the pieces in place.

 

I've moved to 7zip as my main compressed file manager for a long time. So long, I can't even remember what I used before that. In the ancient times of the internet I do recall using WinRAR because it was most commonly used format to distribute pirated software at the time. I have no idea what's used these days. In business zips were used I guess because of widest compatibility. Zip feels ancient though, used pkzip and also in that era lha (lzh) which was common for files from Japan.

I often use 7-zip to encrypt sensitive data as well. Fantastic program. Been using it on my PCs for a decade. 

[AnonymousGuy]

Who the hell ever drags something onto a help window?  

[wanderingfool2]

3 hours ago, poochyena said:

7zip is very common. adding 7zip to a computer is about as common as adding firefox or chrome to a computer. Not something you'll see on every public/work/school computer, but its certainly not uncommon

I mean that depends.  This kind of exploit would be more affecting corporate not individual users...given that it's privileged escalation (and that's a maybe given the status of things).

 

Also, if the company already had winrar license, no real need to go with 7zip (unless you want other types of compression)...but honestly internally .zip file is the go-to for most things I've encountered (like submitting documents and such)...since some of the compression formats don't exactly play well with antivirus tools.

 

Like I said in my later post, the last 2 places I've worked never utilized 7zip at all (well I had the standalone on my computer to do a few things...but no one else had it).  I mean for $5 per user that's pretty cheap given that you could have bulk purchased it years ago and still use it (and afaik there has only been one major security exploit in WinRar)

[Mark Kaine]

On 4/20/2022 at 10:14 PM, AnonymousGuy said:

Who the hell ever drags something onto a help window?  

there was a 'exploit' recently where people dragged a windows *into the URL bar* (iirc) so yeah, people really just like to drag random stuff around for no reason. ("…lets see what happens if i do this… whoops!") ¯\_(ツ)_/¯

 

 

OT: nah, ill keep using 7zip and just not drag stuff around, winrar never worked for me "error error error" no thanks! 

[rcmaehl]

@FakeKGB Here's a kicker of an update for you

 

Quote

I'm being honest with you. Actually, I'm trying to find another vulnerability on 7-zip software, and it's happening again with heap-overflow. If I tell you which file is in the source code and on which line, you will close the vulnerability. I am a hacker. I'm evaluating and I don't want to say because I make money from this business. I won and I'm just telling you how to turn it off from the interface. If there is no access to hh.exe from the interface, there is nowhere to trigger anyway. I don't intend to reveal the details of the vulnerability because that's the way I am selling it.

 

Source: 7-Zip / Bugs / #2337 7-zip Code Execution Vulnerability (archive.org)

[Mark Kaine]

16 hours ago, rcmaehl said:

@FakeKGB Here's a kicker of an update for you

 

 

Source: 7-Zip / Bugs / #2337 7-zip Code Execution Vulnerability (archive.org)

Err... does this mean *any* help file can trigger it? So all the 7zip guys need to do is remove their "help" option or isnt this whole thing more of an Microsoft issue then?

 

 

And lastly... is this "researcher" asking for $$$? 

 

@FakeKGBany updates? 

[WhitetailAni]

7 hours ago, Mark Kaine said:

Err... does this mean *any* help file can trigger it? So all the 7zip guys need to do is remove their "help" option or isnt this whole thing more of an Microsoft issue then?

The original discoverer said it required a "maliciously crafted" file ending in .7z, so I don't think it's just any old file.

On 4/22/2022 at 11:51 AM, rcmaehl said:

Source: 7-Zip / Bugs / #2337 7-zip Code Execution Vulnerability (archive.org)

Interesting.

So quick update (yes I just copy pasted the template).

 

Summary

archive.org has saved 7zip's bug page on Sourceforge on April 21st, 2022. It shows an interesting conversation between the discoverer of the bug, Kağan Çapar, and the maintainer of 7zip, Igor Pavlov. Çapar, for some reason, refuses to tell Pavlov exactly where the bug is.

Quotes

Çapar:

Quote

It should be closed as follows.

First step: If all the information in the HELP > contents tab is redirected to the 7-zip website, not embedded in the program, the problem will be completely resolved. Nowadays, applications such as Chrome usually provide such steps through their own websites (please see the attached pictures), which is healthier.

Second step: This vulnerability is caused by the 7-zip.chm file located under the 7-zip files, removing it will solve the problem, which again shows that we need to perform the first step.

I will not publish a code until you close this vulnerability, I just think of sharing the executable codes after getting the CVE number. Please feel free to write to me if you need help.

Quote

Yes. I explained the situation to you, but since this is a zero-day, I didn't want to explain it all, I just pointed out the point where you need to take precautions. There is only one point where the command is run in 7-zip and that is the HELP partition. Thanks to the heap overflow inside, you can switch from normal user to administrator authority. You use this command execution process via Microsoft's hh.exe, but in the end, this command works via 7-zip. If you examine my Github page, you can see that it is running as a child process under 7-zip.

Pavlov:

Quote

I don't understand you actions.
If there is "misconfiguration of 7z.dll" and heap overflow in 7-zip source code, please write me what exact lines of 7-Zip code are related.
We need some way to locate these lines and fix them.

Çapar:

Quote

First of all, I would like to apologize. Since I am selling the vulnerability for a fee, I can only tell you how to fix the vulnerability on the "execution" side. When 7-zip users press the HELP button, if hh.exe does not access the Windows api, it will not be possible to run commands from within 7-zip. This is enough to fix the vulnerability. Unfortunately, that's all the information I can give you on this subject.

Pavlov:

Quote

So you don't want to help to fix "vulnerability", and you want to get money for that?
7-Zip uses public Microsoft API of Html Help.
Do you thing that Html Help API is wrong and all programs must avoid using that API?
Why?
Or there is another wrong code in 7-Zip?

Çapar:

Quote

I don't want money from you. I'm not just specifying where the vulnerability is in the source code, but make sure it's not in the Windows API. I was looking for a space where I could run code after I found a vulnerability on 7-zip. I used this function in a hybrid way with the vulnerability I found because it calls the 7-zip HTML Helper file, which turned into a privilege escalation vulnerability. If you use something other than the Windows API and this is not suitable for running code over 7-zip, the vulnerability will not work automatically. I cannot give information about your vulnerability in your source code, but it is impossible to use this vulnerability unless there is a space to run commands. So the immediate solution is to use another API or remove that HELP button.

Quote

Yes, I know the file and I can't tell you what line it's on, what authorization problem, misspelled syntax, but I can't tell you. Sorry I can't be so helpful. As I said, if you do not use the Windows API (hh.exe), there is no space to run the command and the problem will be solved. The rest is your decision. Good work.

Pavlov:

Quote

So do you know exact line of bug in 7-zip source code?
And you don't point me it intentionally?
Why?
Do you think that it's good practice to hide full information about possible vulnerability from developer of software?
When you'll disclose details of bug and whom?

Çapar:

Quote

I'm being honest with you. Actually, I'm trying to find another vulnerability on 7-zip software, and it's happening again with heap-overflow. If I tell you which file is in the source code and on which line, you will close the vulnerability. I am a hacker. I'm evaluating and I don't want to say because I make money from this business. I won and I'm just telling you how to turn it off from the interface. If there is no access to hh.exe from the interface, there is nowhere to trigger anyway. I don't intend to reveal the details of the vulnerability because that's the way I am selling it.

My thoughts

Well that's... special.

You can see the full conversation at the links listed at Sources, but the gist of it is that Çapar knows where the vulnerability is in the source code, but won't tell Pavlov since then he won't get paid. Çapar gives Pavlov the easy solution (don't use hh.exe), then proceeds to mostly ignore the rest of Pavlov's questions about "Is this a vulnerability in Windows?" "Can you at least tell me what file it's in in the source?".

Pavlov closes the discussion after Çapar's last message (as shown in Quotes).

Sources

https://web.archive.org/web/20220421231342/https://sourceforge.net/p/sevenzip/bugs/2337/?page=0

https://web.archive.org/web/20220421231342/https://sourceforge.net/p/sevenzip/bugs/2337/?page=1

[Mark Kaine]

2 hours ago, FakeKGB said:

My thoughts

Well that's... special.

You can see the full conversation at the links listed at Sources, but the gist of it is that Çapar knows where the vulnerability is in the source code, but won't tell Pavlov since then he won't get paid. Çapar gives Pavlov the easy solution (don't use hh.exe), then proceeds to mostly ignore the rest of Pavlov's questions about "Is this a vulnerability in Windows?" "Can you at least tell me what file it's in in the source?".

Pavlov closes the discussion after Çapar's last message (as shown in Quotes).

Sources

https://web.archive.org/web/20220421231342/https://sourceforge.net/p/sevenzip/bugs/2337/?page=0

https://web.archive.org/web/20220421231342/https://sourceforge.net/p/sevenzip/bugs/2337/?page=1

yup thats what i thought...

 

its quite odd... he wants to sell it, but he also told pavlov how to fix it ... which makes selling the vulnerable  useless...  sus!

 

Unless its a ms vulnerability,  which i think is likely. 

 

 

So what pavlov should do is fix the program,  IE remove the damn help thing... *and* contact Microsoft  / other security experts...  i think with more eyes theyll figure it out, and its for everyones benefit   (except capar)

 

[Rauten]

<Black Hat Hacker used Zero-Day!>

<Black Hat Hacker is confused!>

<Black Hat Hacker hit himself in confusion!>

 

That's what the conversation reads like to me.

 

Could also just be some random guy blowing a lot of smoke to try to gain notoriety, or find a fool willing to pay for his non-existing vulnerability.

[RejZoR]

I can't seem to find info whether the issue is in 7zip binary or the included CHM help file specifically. Or is the CHM file that could be ANY CHM file and not necessarily one thta comes with 7zip.

[WhitetailAni]

3 hours ago, RejZoR said:

I can't seem to find info whether the issue is in 7zip binary or the included CHM help file specifically. Or is the CHM file that could be ANY CHM file and not necessarily one thta comes with 7zip.

The news sites that I looked at are saying that using the .chm file with the malicious .7z file triggers an overflow in 7zFM.exe, granting the code execution.

I’m guessing it might be any .chm file. not sure.