Just a couple of months ago, an information security expert, nicknamed LANDAVE or Dave, found security vulnerability in the 7-Zip utility.
A group of information security professionals commented that 7-Zip contains a huge variety of file decompression tools that some users install as one of their most important complementary Windows applications.
7z knows how to extract data from most other file formats and is not only compatible with its own brand of mega-compressed files.
ZIP files, gzip and bzip2 files, Unix tar and cpio files, Windows CAI and MSI files, Macintosh DMG files, CD (ISO) images and more, added with an optional two-pane file management interface that is perfect for the old school.
Information security experts say that 7-Zip includes support for RAR files, and that’s where the vulnerability is, it is believed to be inherited from the open source code of the UnRAR tool.
7-Zip has already been patched against this error, CVE-2018-10115; now LANDAVE has made public the details of its finding, and what it implied to find out how serious this vulnerability could be.
Dave said the problem arose from a common conflict between complexity and security. The professional commented that the UnRAR code is very complex, it supports varieties of different level and compression format, and this includes a special type of compression system that links files before compressing them, which frequently expresses more bytes of compressed data that crushes each file independently.
This solid option is included in the RAR file format because it improves compression by allowing repeated string matches even if they are in different files, instead of restricting the repeated data fragments to a file. When you have several small but similar files, for example, this results in many more repeated string matches being found, and the compression ratio is increased.
What the security professional found is that the UnRAR decompression code, as used by 7-Zip, is not configured securely when he started using it, which tells us that his software could innocently lead to a serious flaw in the RAR code.
In other words, some uninitialized variables in the UnRAR code opened the possibility of creating a trap storage file that would trick the UnRAR code into executing a hidden code in the data part of the trap file.
This code enters furtively since the data is known as shellcode.
These errors that allow Shellcode execution are known as Remote Code Execution (RCE) vulnerabilities, a malicious actor can use a file, to run malware on your device, even if you just open the booby-atrapped file and look at it.
Dave also created a proof of concept (PoC) exploit that demonstrated how to create a RAR file that was sneaky and unexpectedly starts the Calculator application.
The information security researcher commented that if a PoC could show CALC.EXE without warning, it could be modified to execute any command, including malware, in an invisible way for the user.
Dave’s goal of building a functioning exploit became easier because the applications included with 7-Zip had been created without support for the random allocation of address space (ASLR).
7-Zip tools will always load in the same directions, improving exploits because attackers can predict which practical pieces of executable code would already be loaded, and where, the security professional commented.
Now, in some good news, the creator of 7-Zip not only patch the uninitialized variable vulnerability (CVE-2018-10115) in the product, but also to compile the updated version with ASLR enabled. These changes were launcher a week ago in 7-Zip version 18.05.
The information security expert gives us some recommendations of what to do:
If you are a 7-Zip user, be sure to use the latest version.
If you are a Windows programmer, do not send any software that is not compatible with ASLR. Using Visual Studio, you can compile with the / DYNAMICBASE option.
If you are a programmer, when creating new objects: initialize the data fields with safe and reasonable values.