oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

7-Zip Mark-of-the-Web Bypass Vulnerability on Windows platforms

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Fri, 24 Jan 2025 12:21:14 -0800
https://www.zerodayinitiative.com/advisories/ZDI-25-045/ discloses:


7-Zip Mark-of-the-Web Bypass Vulnerability

ZDI-25-045
ZDI-CAN-25456
CVE ID                  CVE-2025-0411
CVSS SCORE              7.0, AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
AFFECTED VENDORS        7-Zip
AFFECTED PRODUCTS       7-Zip

VULNERABILITY DETAILS

This vulnerability allows remote attackers to bypass the Mark-of-the-Web
protection mechanism on affected installations of 7-Zip. User interaction
is required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within the handling of archived files. When
extracting files from a crafted archive that bears the Mark-of-the-Web,
7-Zip does not propagate the Mark-of-the-Web to the extracted files.
An attacker can leverage this vulnerability to execute arbitrary code in
the context of the current user.

Fixed in 7-Zip version 24.09

DISCLOSURE TIMELINE

    2024-10-01 - Vulnerability reported to vendor
    2025-01-19 - Coordinated public release of advisory
    2025-01-19 - Advisory Updated

CREDIT                  Peter Girnus - Trend Micro Zero Day Initiative



https://www.7-zip.org/history.txt lists this fix in the 24.09 release as:

- The bug was fixed: 7-Zip File Manager didn't propagate Zone.Identifier stream
  for extracted files from nested archives (if there is open archive inside another open archive).


As explained on https://en.wikipedia.org/wiki/Mark_of_the_Web
the Zone.Identifier metadata is what Microsoft Windows platforms use
to track where files were downloaded from in order to warn you if you
are opening a file from a remote website.

Correspondingly, the Zone.Identifier handling code in
7z2409-src/CPP/7zip/UI/Common/ArchiveExtractCallback.cpp
is wrapped inside "#if defined(_WIN32)".

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Previous By Date Next
Previous By Thread Next

Current thread: