Attackers can score user privileges thanks to heap corruption hassle
Some of the world’s biggest security and software vendors will be rushing to patch holes in implementations of the popular 7-zip compression tool to stop attackers gaining full control of customer machines.
Cisco security researcher Jaeson Schultz found and reported the holes to the maintainers of the open source 7-Zip platform who kindly cooked up a fix.
Schultz told The Register the flaws could allow attackers to compromise updated machines, giving attackers the same access rights as logged-in users.
“Anytime the vulnerable code is being run by any sort of privileged account, an attacker can exploit the vulnerability and execute code under those same permissions,” Schultz says.
“A fully patched Windows 10 box lacking the 7-Zip fixes would not help you.”
Many security and software products use 7-Zip. Google searches reveal hugely popular affected products including FireEye and MalwareBytes, however it is important to note the vulnerabilities are not due to flaws in these offerings.
The researcher, from Cisco’s Talos security team, reported the borked input validation flaws detailing where the bad code exists after 7-Zip had produced patched version 16.
“An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format files … [which] can be triggered by any entry that contains a malformed Long Allocation Descriptor,” Schultzsays.
“An exploitable heap overflow vulnerability exists in the Archive::NHfs::CHandler::ExtractZlibFilemethod functionality of 7-Zip.
“There is no check whether the size of the block is bigger than size of the buffer buf, which can result in a malformed block size which exceeds the mentioned buf size. This will cause a buffer overflow and subsequent heap corruption.”
Schultz says many vulnerabilities stem from a failure to validate untrusted input data, a feat that is of critical importance application security.