Several vulnerabilities were fixed this week in the file archiver 7-Zip that could have led to arbitrary code execution and file corruption.
The developer behind the tool-which is open source and can be used with any compression, conversion, or encryption method-is urging users to update to the most recent patched version, 16.00, as soon as possible to mitigate the issues.
Igor Pavlov, a Russian programmer who maintains the tool, announced the update on Tuesday, in a blog post on the software’s SourceForge forum.
Marcin Noga, a senior research engineer with Cisco’s Security Intelligence and Research Group, Talos, identified the vulnerabilities. All of them largely stem from the app’s inability to validate input data.
Ohh look ur favorite tool [7zip] existing on osx/win/linux had heap overflow:https://t.co/Ta2ISh6pmF
— Marcin Noga (@_Icewall) May 11, 2016
The vulnerabilities could be easily exploited if an attacker sent a victim a specially crafted file to open via the tool, according to fellow Talos researcher Jaeson Schultz, who described the vulnerabilities along with Noga in a blog post Wednesday.
“An attacker could send or otherwise serve their intended victim a file, and the victim would unknowingly process it using their vulnerable copy of 7-Zip,” Schultz told Threatpost on Thursday, “The result is that the attacker could execute their own code using the same privileges as the victim.”
Because of the way 7-Zip processed some compressed file types, a victim running an older version of the tool could be tricked into opening a rigged file and execute the vulnerabilities.
An out-of-bounds read vulnerability which existed in the way the tool handled UDF, or Universal Disk Format files, was the most dangerous issue fixed with the update. If exploited, the vulnerability could have led to arbitrary code execution. Noga claims the tool failed to check whether one field was bigger than the amount of available “partition map objects,” something which could go on to trigger a read out-of-bounds scenario.
The second issue, a heap overflow vulnerability, exists in 7-zip’s Archive::NHfs::CHandler::ExtractZlibFile method functionality.
Again, like the out-of-bounds issue, 7-Zip fails to check whether the size of a block the tool processes is bigger than the size of a “buf” buffer, something that could cause an overflow and “subsequent heap corruption,” according Schultz.
Schultz told Threatpost that because 7-Zip usually comes default on some Linux installations and is also supported on OS X and Windows, the vulnerabilities have a broad attack surface. On top of that, since the tool is open source – its distributed through the GNU Lesser General Public License – it comes bundled inside a handful of programs, products and appliances, something that also widens the scope.
“The fact that 7-Zip is included in so many other programs, products and appliances, including anti-virus/security products, is also particularly worrisome,” Schultz said. “Many times these security products are positioned at the network border and automate scanning inbound traffic for exploit attempts.”
“If an attacker is able to compromise those devices, it could lead to significant problems for the affected organization.”
