7-Zip 0-day was exploited in Russia’s ongoing invasion of Ukraine

Jump to latest Follow Reply
Sort by date Sort by votes
O

OnlyONE4Hope2SaveJohn14.6

Smack-Fu Master, in training
1
  • #41
    gothburz said:
    Hi all! I'm the threat hunter who found this vulnerability. There is some confusion as to the file extension and execution. The second archive file starts with a Cyrillic "Es" character, in-the-wild the file extension is .do[es]/.doc. Where [es] is the placeholder for the Cyrillic character which looks like a Latin "c" character. In many cases commonly used extensions are tied to applications which will open these files by default. Since .do[es] is not tied to any program Windows doesn't know how to handle it. Now the interesting thing is 7-ZIP will not only look at the file extension BUT the files magic bytes "\x37\x7A\xBC\xAF \x27 \x1C" in the header. Recognizing the 7-Zip magic bytes, 7-Zip will then proceed to process this file as an archive, the contents of which will not receive mark-of-the-web protections due to CVE-2025-0411.
    Click to expand...
    Good to know. Thanks for sharing.
     
    Upvote
    0 (0 / 0)
    mygeek911

    mygeek911

    Ars Scholae Palatinae
    771
    Subscriptor++
  • #42
    Reprocess9370 said:
    It's worth noting that many organizations have probably had to worry about this for far longer than this bypass: 7-Zip doesn't even enable the "Propagate Zone.id stream" setting by default!

    https://sourceforge.net/p/sevenzip/discussion/45798/thread/f8540df579/
    https://sourceforge.net/p/sevenzip/discussion/45797/thread/5cd8e0f77e/

    View attachment 101943
    Click to expand...
    Holy cow! Today I learned something new. Thank you for the excellent information!
    gothburz said:
    Hi all! I'm the threat hunter who found this vulnerability. There is some confusion as to the file extension and execution. The second archive file starts with a Cyrillic "Es" character, in-the-wild the file extension is .do[es]/.doc. Where [es] is the placeholder for the Cyrillic character which looks like a Latin "c" character. In many cases commonly used extensions are tied to applications which will open these files by default. Since .do[es] is not tied to any program Windows doesn't know how to handle it. Now the interesting thing is 7-ZIP will not only look at the file extension BUT the files magic bytes "\x37\x7A\xBC\xAF \x27 \x1C" in the header. Recognizing the 7-Zip magic bytes, 7-Zip will then proceed to process this file as an archive, the contents of which will not receive mark-of-the-web protections due to CVE-2025-0411.
    Click to expand...
    And thank you for bringing this to attention!
     
    Upvote
    0 (0 / 0)
    You must log in or register to reply here.
    Jump to latest Follow Reply
    Jump to latest Follow Reply