There has been an ever-increasing number of
vulnerabilities and malware rearing their ugly heads lately. One of the most common things these malware will attempt to do is gain elevated permissions to allow execution of its code without user interaction. Recently, a new vulnerability was found in the popular archival software 7-Zip that can potentially allow just that.
7-Zip is an open source universal compression and archive utility that is meant to work on Unix-like systems, and Windows. The exploit in question takes advantage of the fact that the Windows version of the software utilizes the system's help file format, known as CHM files. These help menu files can still utilize ActiveX controls, a functionality that saw its final release in 2013 and is today considered deprecated. ActiveX has been considered insecure for years by researchers due to its inherent elevated permissions, including direct access to executing shell commands as a privileged user.
YouTube Video of the 7-Zip Flaw in Action
When utilizing 7-Zip's help menu, it executes the hh.exe, which can still run and use
ActiveX objects. If you attempt to drag a .7z extension file to that window that appears, after malware or an attacker has run their piece to unlock the nasty potential of elevated access, it can potentially open up a command prompt with elevated administrator access. This is displayed in the video made by Kağan Çapar, a security researcher from Turkey.
Kağan does state in
his GitHub, which outlines the vulnerability, that he will not publish the details of the exploit until after the issue is patched by the 7-Zip developers. No action has been taken yet, unfortunately. He does, however, go on to say that the bug report has been issued to 7-Zip developers, and that its CVE-2022-29072 designation has been submitted to security reporting web sites.
Screenshot of 7-Zip Bug Report
Of course, the researcher also outlines probably the simplest way to prevent an issue. Just delete the CHM file from your installation of 7-Zip. This will prevent the help menu from opening and just cause any attempts at this to fail. You can also modify what permissions the hh.exe process can operate at, but for most users just deleting the .chm file from the installation directory is easiest.