CVE-2022-29072

[CatMe0w]

Upstream 7-Zip through 21.07 is vulnerable to CVE-2022-29072, which allows privilege escalation and command execution. See https://github.com/kagancapar/CVE-2022-29072 for details.

7-Zip-zstd is probably also vulnerable to this exploit.

Besides this exploit, should we consider removing .chm file and the Help feature entirely from this fork?

[icedterminal]

After just reading about this, I personally think the file is redundant. I can't remember the last time I used a .chm help. This system has historically always been known to allow arbitrary code execution. The last publicly known exploit was 2015 when MERS was a concern. Trend Micro restructured their site and the article was lost. I found a second article here. https://news.softpedia.com/news/backdoor-delivered-to-japanese-media-company-in-mers-themed-spear-phishing-485613.shtml

Microsoft hasn't touched this help method since the early 2000s. It's much like other pieces of Windows. Abandoned and only there for archaic and ancient software that IT departments refuse to let go of.

It's easier and safer to use a .html file for help to preserve offline capability. And it's cross platform.

[Lanius-collaris]

After just reading about this, I personally think the file is redundant. I can't remember the last time I used a .chm help. This system has historically always been known to allow arbitrary code execution. The last publicly known exploit was 2015 when MERS was a concern. Trend Micro restructured their site and the article was lost. I found a second article here. https://news.softpedia.com/news/backdoor-delivered-to-japanese-media-company-in-mers-themed-spear-phishing-485613.shtml

Microsoft hasn't touched this help method since the early 2000s. It's much like other pieces of Windows. Abandoned and only there for archaic and ancient software that IT departments refuse to let go of.

It's easier and safer to use a .html file for help to preserve offline capability. And it's cross platform.

I will upload a .html today.

OK.
https://gist.github.com/Lanius-collaris/8513a5b33920d3fb4c9ba62d02e2d4cc

[mcmilk]

Just to dump the old chm file seems a bad solution to me.
We need the possibility to edit the file and then build it with some open source tool to .html .xml or whatever...
Will Igor remove it's .chm file?

[icedterminal]

Will Igor remove it's .chm file?

It's currently disputed. From the outside, Igor thinks there is no issue because there is nothing to fix. It's been called a "hoax" and "nothing has been proven" from various third parties. Though few are named or have spoken up from what I could find.

• Disputed CVE listing: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29072
• Thread: https://sourceforge.net/p/sevenzip/discussion/45797/thread/65ce9ab4cb/
• Tweet claiming hoax: https://twitter.com/wdormann/status/1516979696126369792

The 2015 incident in Japan was an already crafted help file that did its deeds once opened. This is drag and drop. You have to have physical access to the computer or at least remote control (screen + mouse) to be able to do anything. If the threat is real, then there is a small risk to begin with. But more to the point, when I attempt this, I get my account returned. How others have got NT/System returned I do not know.

[icedterminal]

I've read through a lot of comments in linked material that's spawned over the last few days. I tweeted out to someone that says he's a security researcher. There is no privilege escalation, or if there is, this is not the fault of 7z.

• The individual says when hh.exe is called using a crafted file, it elevates to NT/System. Browsing source code, 7z does not call hh.exe directly, instead it uses an API. The executable never launches directly.
• In the example provided, the process is simple. Drag and drop, get a terminal session. In a default Windows installation, this will never happen as shown. There is a security mechanism in place that warns a user when a file contains scripted content. You must accept this prompt. Otherwise nothing is ran. You can disable this security mechanism with a registry modification.
• The example shows an initial terminal with the standard user space. 7z is launched but what user space it was launched with is unknown. It could have very well been launched with admin or even system. Both of which show a UAC prompt unless turned off.

The documentation for the escalation example doesn't include what the author claims is the real problem. When pressed for more information, there is either a language breakdown of explanation or it genuinely doesn't make any sense. The comments are no longer visible because he's been flagged for rule breaking. Given how there is a lot of skepticism and unclear information, I'm leaning more towards this is not as big of a problem as it was made out to be.

[Lanius-collaris]

We need the possibility to edit the file and then build it with some open source tool to .html .xml or whatever...

We can edit the .html directly or rewrite document with a markup language.

7-zip can unpack .chm files

[bashenk]

* In the example provided, the process is simple. Drag and drop, get a terminal session. In a default Windows installation, this will never happen as shown. There is a security mechanism in place that warns a user when a file contains scripted content. You must accept this prompt. Otherwise nothing is ran. You can disable this security mechanism with a registry modification.

Just wanted to comment on this that, yes, at least when trying to launch an embedded HTA application script it causes the ActiveX control warning. However, for me the xxe injection does not cause such a warning, and, in the affected versions of 7-Zip, can retrieve the content of files the user can read.

[mcmilk]

This project will mainly add some codecs to 7-Zip.
I have no time or need for a full fork with a lot new features... or big differences from 7-Zip.