Open Easthrone opened 2 years ago
Most probably there is no issue.
If there actually is a privilege escalation, that bug is not an issue with 7zip or Microsoft® HTML Help Executable (HH.exe). But with Microsoft Windows.
Kağan Çapar keeps posting different explanations. The common theme for that would be, that there actually is no issue. He probably just tries to make a up a cloud of plausibility.
Kağan Çapar posted this file to Tavis Ormandy (from Google Zero). If you extract it, it might hose your NTFS (older Windows), or just drop hard to remove files ("just some naïve attempt at directory traversal that couldn't possibly work"). The file is made by/for jasonLyk. It does not show this exploit. It shows a different issue.
7zip by default does not run with elevated privileges. It should not be able to get them by itself. Unless there is an issue with Windows. If 7zip can do it, other programs should be able to as well.
If there is a bug, it is not a bug in 7zip.
That file doesn't even belong to me. I've been making fun of tavis since yesterday I don't have to send him the payload.
I could not reproduce either. When I try to drag a 7z file into the chm content window, I only got Do you want to open or save this file?
.
https://user-images.githubusercontent.com/2276718/164577605-e8596058-1f04-4970-a97d-1212bca978d9.mp4
I create a HTML file which contains the public POC in https://dl.packetstormsecurity.net/2204-exploits/7zip-escalate.txt. And rename it to a 7z file. Then I got a warning. When I click yes, I can only get the current user shell, not the system user shell.
<html>
<head>
<HTA:APPLICATION ID="7zipcodeexec">
<script language="jscript">
var c = "cmd.exe";
new ActiveXObject('WScript.Shell').Run(c);
</script>
<head>
<html>
https://user-images.githubusercontent.com/2276718/164581174-2fcafd9f-9863-4c6c-8059-dabc302bf513.mp4
I also tried to drag the HTML file to the chm content window. IT IS THE SAME.
@kagancapar
That file doesn't even belong to me. I've been making fun of tavis since yesterday I don't have to send him the payload.
Regardless of what that actually means I've made a Wayback Machine backup for future references, cheers!
Most probably there is no issue.
If there actually is a privilege escalation, that bug is not an issue with 7zip or Microsoft® HTML Help Executable (HH.exe). But with Microsoft Windows.
Kağan Çapar keeps posting different explanations. The common theme for that would be, that there actually is no issue. He probably just tries to make a up a cloud of plausibility.
Kağan Çapar posted this file to Tavis Ormandy (from Google Zero). If you extract it, it might hose your NTFS (older Windows), or just drop hard to remove files ("just some naïve attempt at directory traversal that couldn't possibly work"). The file is made by/for jasonLyk. It does not show this exploit. It shows a different issue.
7zip by default does not run with elevated privileges. It should not be able to get them by itself. Unless there is an issue with Windows. If 7zip can do it, other programs should be able to as well.
If there is a bug, it is not a bug in 7zip.
Even though I said that this file does not belong to me, you still continue to talk as if it is mine. I don't take you seriously, don't waste your breath for nothing. Don't stop insulting me on twitter. We are not even in the same class. I'm posting the link again this file is not mine it was purely done to troll Tavis.
I create a HTML file which contains the public POC in https://dl.packetstormsecurity.net/2204-exploits/7zip-escalate.txt. And rename it to a 7z file. Then I got a warning. When I click yes, I can only get the current user shell, not the system user shell.
<html> <head> <HTA:APPLICATION ID="7zipcodeexec"> <script language="jscript"> var c = "cmd.exe"; new ActiveXObject('WScript.Shell').Run(c); </script> <head> <html>
Video_2022-04-22_095533-converted.mp4 I also tried to drag the HTML file to the chm content window. IT IS THE SAME.
This is not the poc code of privesc attack. Also, a tip for you to bypass activex before working inside the payload. "[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] If it checks "1201"=dword:00000000" and this DWORD has a value of 1, it will set it to 0 and the popup will be bypassed.
@kagancapar
(...stripped...) The file is made by/for jasonLyk. It does not show this exploit. It shows a different issue.
Even though I said that this file does not belong to me, you still continue to talk as if it is mine.
False. Even Tavis themself has clearly attributed it correctly:
When I told him that, he said "that file doesn't belong to me anyway" - then explained he was planning his wedding and was too busy to answer more questions.
-- source
I'm posting the link again this file is not mine it was purely done to troll Tavis.
I failed to see how that behavior would help anyone.
I can't reproduce the problem described in your video. what is the "privese.exe"? Is this what caused it?