CVE-2023-52168, CVE-2023-52169: buffer overflow, over-read vulnerabilities in the 7-Zip archiver

[Maxim Suhanov <dfirblog () gmail com>]

Reference:
https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/

Details:

In short, both vulnerabilities affect the "full" implementation (i.e.,
7zz and its library), which includes the NTFS parser.
Implementations not using the NTFS parser (e.g., 7za and 7zr) aren't affected.
Both vulnerabilities were silently fixed in 24.01 (beta). No advisory
(or a related change log entry) issued.

CVE-2023-52168:
> The NtfsHandler.cpp NTFS handler in 7-Zip through 23.01 contains a heap-based buffer
> overflow that allows an attacker to overwrite two bytes at multiple
> offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10,
> i=11, etc.

This vulnerability would be very hard to exploit to gain code execution.

CVE-2023-52169:
> The NtfsHandler.cpp NTFS handler in 7-Zip through 23.01 contains an out-of-bounds read
> that allows an attacker to read beyond the intended buffer.
> The bytes read beyond the intended buffer are presented as a part of a
> filename listed in the file system image. This has security relevance in
> known web-service use cases where untrusted users can upload files
> and have them extracted by a server-side 7-Zip process.

This over-read bug affects implementations that:
- use 7-Zip as a library to process archives, and
- run a single process to process archives from multiple (untrusted)
sources, and
- allow users to observe file names stored in their processed archives.

(Otherwise, there are no obvious security implications.)

Examples include online tools to convert/extract archives.
At least one online service was affected by this vulnerability: i.e.,
it allowed a remote attacker to leak chunks of data from a server-side
process.

Timeline:

* 2023-08-18: the vulnerability was reported to Igor Pavlov.
* 2024-01-31: a fixed version (24.01 beta) is available.