I spoke to the researcher on twitter, his claims don't make much sense. He sent me a file he said proved his claims, but it was just some naïve attempt at directory traversal that couldn't possibly work. When I told him that, he said "that file doesn't belong to me anyway" - then explained he was planning his wedding and was too busy to answer more questions.
Logically, if there was a way to escalate privileges via 7-zip, then it could also be exploited with CreateRemoteThread() - why would a heap overflow be necessary? What change to 7-zip has he requested that would prevent that? Why the bizarre drag-and-dropping operation, why not just double click a HTA file?
I suspect there is no heap overflow and no privilege escalation.
The vulnerability in hh.exe is already well known and documented by the LOLBAS project [0]. My team and I (Adversary Simulation at IBM X-Force Red) conduct stealth-oriented red team security assessments and we use vulnerabilities like this to do our jobs every day - just as any red team worth its salt would. Capabilities like this are built into all kinds of tools that are installed by default on Windows. They are often essential to obtaining code or command execution on hosts through social engineering or post-exploitation when moving laterally between hosts.
This is just speculation, but the privesc vulnerability might be related to memory allocation in the DLL used to integrate with the system shell context menu - i.e. right clicking on a file. Just a guess based on the mention of a heap overflow.
I think it's also probably somewhat common for run of the mill employees to use privilege escalation exploits to get admin access to do regular tasks. At least it was common in places I've worked where your local PC was so locked down that you couldn't do your job, and the official process to work around that wasn't reasonable. Enough people doing that opens up other unintended holes.
A vector is a vector :) Imagine someone with just user privilege to a machine needing admin access to install more pervasive RAT, this gives them a way.
>vulnerability was caused by hh.exe, but they were told that if there was a command injection from hh.exe, a child process should be created under hh.exe, so especially the heap-overflow side of this vulnerability will not be shared with the community.
"Due to community security, it will not be published until the update is passed. Maybe it will never be published :)"
>edit: I personally think the author did a great job finding & publishing it.
Not really.
They seem to be implying they got to running a command as SYSTEM from 7-zip, but, like, don't specify things like what security context 7-zip started as, or how a program running as non-admin got to a system security context, or like, how that's 7zip's fault and not the fault of the OS.
This is all very confusing.
Even if all they did was took that screen shot from process explorer and expanded it to include the user column, it would be like 99% more clear what the fuck is going on.
Very confusingly written document, but from what I gather there are two vulnerabilities that are problematic for different reasons.
1) a command execution vulnerability in 7z. This is problematic because a downloaded 7z file could compromise your machine;
2) a privilege escalation vulnerability in the MS help viewer. This is problematic because it could allow an unprivileged user to gain admin rights. Why the help viewer does anything as NT AUTHORITY\SYSTEM is beyond me.
However the post presents them as one single vulnerability?
> Why the help viewer does anything as NT AUTHORITY\SYSTEM is beyond me.
I don't get it either. From poking around in Process Explorer the help viewer window isn't its own process, it's still part of "7zFM.exe" which is running at medium integrity (not admin). Don't know where the high integrity context is coming from.
I wonder if it's silent elevation, in which case just putting UAC on "always ask" is good enough (and what I do anyway).
The PoC video showed that the current user isn't in the "Administrator" group (though there is another user "zeroday" in there), which makes it look like not a simple UAC bypass. Or perhaps I misunderstood something.
Pretty much every other CHM viewer than the original one has multiple issues displaying CHM files properly or at all.
Even Free Pascal and Lazarus that use their own tools to both produce and view CHM files (Lazarus has its own cross-platform CHM implementation) have their own CHM files working better with the Microsoft CHM viewer than their own viewer.
Phew, I thought I was just bad at parsing this stuff.
It seems kind of weird, like on top of the technical details it is describing some still-in-progress argument with the 7zip folks about who is responsible for the bug.
> Why the help viewer does anything as NT AUTHORITY\SYSTEM is beyond me.
I don't think it does. The report states that they achieved execution as NT AUTHORITY\SYSTEM using psexec from "SysInternals"; arguably, running something as SYSTEM is psexec's entire purpose, but it does require the installation of a service that runs as SYSTEM and brokers execution.
I am failing to see (1). It seems when you drop a file into the help viewer window, it is handled by the help viewer itself. You can try it with a random file. It either displays the file inside the help viewer as an HTML file, or a Internet Explorer-like download dialog shows up.
It seems that 7-zip opens the .chm help file using the HtmlHelp [1] WinAPI call. This API call does not even seem to run `hh.exe`. How does this privilege escalation actually work?
If there is a privilege escalation vulnerability in Windows Help Viever then nobody can stop anyone from writing a payload that mimicks the heap overflowing code in 7zip.
But of course that doesn't get you clicks so why not bait everyone by attaching name of a popular open source software to it.
He has commented about security researchers and industry on several times over the years, but to sum it up we can say he doesn't think of very highly of them :p
I don't understand security stuff really (the computer misbehaves frequently enough when I'm not trying to do evil things to it, why would I try to make it worse?) but this seems a little weird to me. Why does 7zip even have admin privileges to give away, in the first place? It seems to be based on some odd interaction with the help system but I can't really parse the description.
The description of the bug seems a bit weird
> At this stage, 7-zip stated that the vulnerability was caused by hh.exe, but they were told that if there was a command injection from hh.exe, a child process should be created under hh.exe, so especially the heap-overflow side of this vulnerability will not be shared with the community.
I think this is a reference to a conversation with the people behind 7-zip (?). It seems like a weird mix of technical details and finger-pointing.
> As it is known, Microsoft HELPER ie hh.exe file "html help. full name microsoft html help executable. Program that opens help files with the chm extension." has been defined as. Many operations such as XXE, Command Execution are performed through the hh.exe file. It is possible to see vulnerabilities such as XXE or command execution in every program that uses the hh.exe interface. This issue came to my mind after the discovery of the XXE vulnerability detected by WinRAR. (https://www.exploit-db.com/exploits/47526) Although the developers of 7-zip say that Microsoft should fix the command execution authority obtained from hh.exe at this point, it has been observed that at the end of the day, thanks to the heap overflow in 7zFM.exe and the command execution feature in hh.exe, privilege elevation is provided in the administrator mode.
Seems like a pretty solid argument from the 7zip folks, right? They can't really be blamed if the Windows help system has decided to give them root for some reason. And since 7zip is partially open source, any would-be hacker could just grab an old version of the code if they wanted to weaponize this, right?
Windows privilege escalation bugs are so unbelievably common. We just fixed one in our MSI installer, and when I went to search for the CVE there were like 10 recent ones from different things including various VPN clients and shell extension apps.
The culprit is usually the insane Windows ACL permission system. Unix permissions look like "rwxr-xr-x" while a very simple example of a Windows permission is:
D:(A;OICI;FA;;;SY)(A;OICI;FA;;;WD)
Windows is a single user OS. If you are depending on its local user permission access control to be anything more than advisory you are going to have a bad time.
The string-based representation of Windows ACLs is more complex than Linux ACLs - because it's a more complex and powerful system.
While your last paragraph is technically true, ACLs can also be applied on files from network shares.
And of course (just as on Linux), even on single, non-networked machines, only very technical users will realistically be able to access files they are not authorised for.
It may be more capable but that comes at a high cost in terms of usability, bugs, and vulnerabilities. Complexity is generally bad for security especially when the system doesn't seem well designed to manage it.
1. If we're talking about desktops systems, privesc is trivial in either OS. In Linux you can do a million things to privesc, such as snooping passwords via X11, modifying the various user files like ~/.bashrc with aliases, etc. On Windows UAC isn't even intended to be a barrier.
2. If we're talking about servers, I'm not sure that Windows is 10:1 worse on privescs.
I'd say the main intention of UAC is to make sudo but without obvious vulnerabilities. The UAC dialog is wired deep into the system and you can't fake it. It takes priority over any UI stuff and won't accept input from a program you didn't specifically authorize (which requires accepting a UAC prompt).
On the flipside, all it takes to manipulate sudo on Unix systems is to write a TTY emulator that just middlewares between the user and sudo. Then just alias via bashrc or any number of other places that can prompt for a user password. There is not protection sudo can deploy against that. Polkit helps a bit but X11 isn't great at helping there either since other programs can just send keystrokes.
It is a clear privilege boundary, just not a barrier. Beyond UAC is Admin, before UAC is non-Admin. Crossing that divide requires a user interaction. UAC can be a barrier if it would display more about the programs intention. Similar sudo could be improved the same way.
You're absolutely correct about the Windows ACL system. The discretionary access control system in Windows can easily be subverted by a poorly configured dynamic access control policy.
Windows is not a single-user OS. Even a standard "desktop" installation can support multiple sessions through terminal services, but usually it is not configured to allow multiple concurrent interactive sessions.
This looks more like a bug in Windows help system than 7zip. At least it's easy to avoid, although dragging and dropping files in 7zip is an expected operation, I don't think people are opening their "help" often.
I wonder how many programs have this bug? How many programs have Windows help and involve dragging and dropping files?
This involves dragging-and-dropping files onto the Help window, not 7-zip proper. This is something nobody ever does, so it’s a classic overblown “vulnerability”.
while it's certainly something that's unlikely to be exploited by a remote attacker, local privilege escalation is a real issue.
details on the LPE are not yet released, it's only shown in the video.
assuming the LPE is real and also caused by 7-zip, this is a critical issue for anyone that has unprivileged users use their systems where 7-zip is installed.
looking at the SourceForge forums, it looks like the 7zip author still doesn't know where the security breach is coming from, but the security researcher doesn't seem forthcoming in pointing it out to him...
Türkçe bilmediğim için google translate kullandığım için beni bağışlayın.
Öncelikle, edindiğiniz incelemelerden bazılarını açıklamaya çalışmak istiyorum: Anladığım kadarıyla, kötü aktörler, sosyal deneyler veya tam şarlatanlar bir kereden fazla kendilerini twitter gibi yerlerde yasal güvenlik araştırmacıları olarak kurmayı başardılar. daha sonra teknik olmayan kişiler veya bir şeyleri iki kez kontrol etmeyen kişiler tarafından büyütülen yalanlar. Bu nedenle, bazı yüksek profilli güvenlik araştırmacıları, asılsız iddialarda bulunan ve onlara karşı uyarıda bulunan kişilere karşı temkinlidir.
Bunu yayınlamanın/paylaşmanın ne anlamı var diye sormak istiyorum, bilinen bir yama yoksa bakımcılar bunun gerçek bir sorun olduğunu düşünmüyorlar ve aslında hiçbir detay paylaşmayacaksınız.
İkinci soru, eğer yama yapılırsa/ne zaman olursa veya bakımcılar yama yapmayı reddederse daha ayrıntılı bir açıklama veya bir PoC yayınlamayı planlıyor musunuz?
Super problematic that the HN mod team removed these posts by the author. His replies to this thread can likely be used to help ascertain the legitimacy of his claims, despite any rule-breaking they contained - let it be visible to the public.
I think this is "zero day" in the sense of no patch is available, not in the sense of skipping responsible disclosure.
This has a CVE number allocated (CVE-2022-29072) and the README mentions 7-zip disputing that this is their problem (rather, some underlying Windows component).
Imagine someone you think is homeless comes up to you and says, hey you left your child on top of your car. You say, thanks but did you fill out form K7804 to inform me responsibly about the issue.
They say, form K7804? But your child, and that sounds like a lot of work to help you.. will you pay me to waste my time to help you?
You say, no guarantees that I'll pay you but if you don't inform me responsibly, I'll tell everyone you are the bad person here.
What are you talking about? Analogies are weak point makers even when they're accurate, but what you're describing as entirely unrelated to what happened.
This is Microsoft's bug that affects many programs. Was Microsoft informed before this exploit was made public? What does it buy anyone to throw this out in the public first? There is no indication that the exploit finder was hunting a bounty or denied a bounty. Afaict you fabricated a controversial story in your head then tried to explain it to everyone else.
I think a better comparison would be: Someone has left a child on a car roof. Someone else sees it and instead of telling the person, posts about it online.
This analogy would almost work, but the program actually makes others' computers vulnerable. So, it is more like deciding not to fill out form K7804 if a bunch of people's kids were on top of a schoolbus.
And also, disclosure actually makes attackers aware of the vulnerability. So, it is like informing a radio station which will broadcast out the message. And while many bus drivers listen to this ratio station, it is actually really popular among a set of people who enjoy crashing into misconfigured buses like this to cause mayhem.
I'm not sure how to fit the state sponsored bus crashers into the analogy. Actually I'm beginning to think it isn't a very useful analogy at all.
Logically, if there was a way to escalate privileges via 7-zip, then it could also be exploited with CreateRemoteThread() - why would a heap overflow be necessary? What change to 7-zip has he requested that would prevent that? Why the bizarre drag-and-dropping operation, why not just double click a HTA file?
I suspect there is no heap overflow and no privilege escalation.