7-Zip zero-day vulnerability grants privilege escalation

PSA: A security researcher recently discovered a vulnerability in the file archiver 7-Zip that could grant attackers high privileges and let them execute code. Developers haven’t released a patch yet, but users can quickly nullify this security hole in the meantime.

Last week, researcher Kağan Çapar found and published a zero-day vulnerability in 7-Zip that can grant privilege escalation and command execution. Designated CVE-2022-29072, it affects Windows users running version 21.07 — the latest version as of now.

As the video below shows, an attacker with limited access to a system can activate the vulnerability by opening the “Help” window in 7-Zip under Help->Contents and dragging a file with the .7z extension into that window. Any file with that extension will work. It doesn’t have to be a real 7z archive.

By running a child process under the 7zFM.exe process, the vulnerability can elevate the attacker’s privileges and let them run commands on the target system. Çapar blames this on a misconfiguration in the file 7z.dll and heap overflow.

The Windows HTML helper file may also share some blame, as other programs can allow command execution through it. Çapar mentions a similar vulnerability that works through the Windows HTML helper file and WinRAR.

Deleting the file “7-zip.chm” in the 7-Zip root folder can mitigate the issue until devs patch it. It’s unclear when that will be.