7-Zip Zero-Day Exploit Allegedly Leaked Online
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A critical 7-Zip zero-day exploit has been allegedly leaked by a hacker who is an individual operating under the alias “NSA_Employee39” on X, which allows attackers to execute arbitrary code on a victim’s machine when opened or extracted with the latest version of 7-Zip.
This disclosure poses significant cybersecurity risks, particularly in the context of Infostealer malware proliferation and potential supply chain attack vectors.
Cyber Security News recently reported a severe security vulnerability, CVE-2024-11477, which has been discovered in 7-Zip, the popular file compression utility, allowing remote attackers to execute malicious code through specially crafted archives.
The Vulnerability: Exploiting 7-Zip’s LZMA Decoder
The disclosed zero-day targets the LZMA decoder in 7-Zip. Specifically, it leverages a malformed LZMA stream to trigger a buffer overflow in the RC_NORM function.
This sophisticated exploit manipulates buffer pointers and payload alignment to execute arbitrary code on the victim’s system.
For users, this means a simple act of opening or extracting a malicious .7z file using the 7-Zip application could compromise the system, enabling attackers to execute malicious shellcode without requiring any additional user interaction.
Screenshot of the 0-day posted on Pastebin
To demonstrate the exploit, “NSA_Employee39” shared a screenshot via Pastebin, showing code that executes a benign payload—launching the Windows Calculator app (calc.exe). However, this code can easily be replaced with more harmful payloads, amplifying the threat significantly.
A New Avenue for Infostealer Malware
The exploit is particularly concerning within the context of Infostealer malware attacks. These malicious programs are designed to quietly extract sensitive information, such as login credentials, banking details, and personal data, from infected systems.
Infostealers often rely on social engineering tactics to spread, typically using password-protected .rar or .zip files to bypass antivirus scans. However, the 7-Zip zero-day eliminates the need for password protection or complex methods.
The potential for this vulnerability extends far beyond individual users. Many organizations, particularly in supply chain operations, automate workflows that involve extracting files received from external sources.
Such a scenario poses significant risks, including data breaches, ransomware propagation, and widespread operational disruption.
While exploiting this vulnerability is conceptually straightforward, it requires a high degree of technical expertise. For instance, attackers need to craft shellcode capable of functioning within a constrained space of only 100-200 bytes.
Despite this limitation, cybersecurity experts warn that skilled adversaries could readily overcome these challenges, making the exploit a clear and present danger.
The release of this 7-Zip zero-day raises broader concerns regarding software vulnerabilities and the responsible disclosure process.
Unlike vulnerabilities reported through official channels, which allow developers time to patch them, public disclosures without warning give attackers an immediate opportunity to exploit unprotected systems.
To compound concerns, “NSA_Employee39” has hinted at the imminent release of another zero-day targeting MyBB, an open-source forum software. If revealed, this could lead to massive breaches and expose sensitive databases from countless online communities.
What Should Users and Organizations Do?
While an official patch for the 7-Zip vulnerability has not yet been released, cybersecurity experts recommend taking immediate action to minimize risk. Key steps include:
For defenders, it highlights the urgent need to bolster defenses and maintain vigilance in the face of rapidly evolving threats.
The cybersecurity community now awaits further developments, including a potential fix from 7-Zip’s developers and the promised disclosure of the MyBB zero-day.
In the meantime, organizations and individuals must remain alert, as this exploit demonstrates the far-reaching risks posed to supply chains, critical systems, and users worldwide.
Update:
Igor Pavlov, the creator of 7-Zip, dismissed the claims in the 7-Zip discussion forum’s bugs section, stating: “This report on Twitter is fake. I don’t understand why this Twitter user made such a claim. There is no ACE vulnerability in 7-Zip / LZMA.”
The @NSA_Employee39 account did not provide an immediate response to requests for comment on social media.
Update 4 pm EST:
The @NSA_Employee39 account shared an update on Pastebin: “This vulnerability arises from inadequate validation of the LZMA stream structure which enables malformed input to trigger the overflow and execute arbitrary code. Remember this is a PROOF OF CONCEPT.”
Update 6 pm EST:
Igor Pavlov Denied the statement shared by the X account; he stated that “there is no RC_NORM function in LZMA decoder. Instead, 7-Zip contains RC_NORM macro in LZMA encoder and PPMD decoder. Thus, the LZMA decoding code does not call RC_NORM. And the statement about RC_NORM in the exploit comment is not true.”
Update: Jan 1, 2025 -12:38 am:
Marc R, researcher from kaspersky has stated that the RC_NORM macro is safe and does not present any vulnerabilities.
Thread: Debunking the 7-Zip Exploit PoC
1/
Claim: A proof-of-concept exploit for 7-Zip was shared online, supposedly targeting a vulnerability in the LZMA decoder. The exploit allegedly triggers a buffer overflow in the RC_NORM macro. Let’s dive in and analyze! 
…
— Marc R (@Seifreed) January 1, 2025
Additionally, they confirmed that malformed LZMA streams trigger errors rather than causing overflows, ensuring robustness in handling such cases. Furthermore, the shellcode and offsets included in the proof of concept are non-functional, rendering the exploit ineffective.
#Cyber_Security_News #Hacking_News #Hacking_Tools #Vulnerability #Vulnerability_News #cyber_security #cyber_security_news #data_breach #vulnerability
Оригинальная версия на сайте:
7-Zip Zero-Day Exploit Allegedly Leaked Online
Author: Balaji NA critical 7-Zip zero-day exploit has been allegedly leaked by a hacker who is an individual operating under the alias “NSA_Employee39” on X, which allows attackers to execute arbitrary code on a victim’s machine when opened or extracted with the latest version of 7-Zip.
This disclosure poses significant cybersecurity risks, particularly in the context of Infostealer malware proliferation and potential supply chain attack vectors.
Cyber Security News recently reported a severe security vulnerability, CVE-2024-11477, which has been discovered in 7-Zip, the popular file compression utility, allowing remote attackers to execute malicious code through specially crafted archives.
The Vulnerability: Exploiting 7-Zip’s LZMA Decoder
The disclosed zero-day targets the LZMA decoder in 7-Zip. Specifically, it leverages a malformed LZMA stream to trigger a buffer overflow in the RC_NORM function.
This sophisticated exploit manipulates buffer pointers and payload alignment to execute arbitrary code on the victim’s system.
For users, this means a simple act of opening or extracting a malicious .7z file using the 7-Zip application could compromise the system, enabling attackers to execute malicious shellcode without requiring any additional user interaction.
Screenshot of the 0-day posted on PastebinTo demonstrate the exploit, “NSA_Employee39” shared a screenshot via Pastebin, showing code that executes a benign payload—launching the Windows Calculator app (calc.exe). However, this code can easily be replaced with more harmful payloads, amplifying the threat significantly.
A New Avenue for Infostealer Malware
The exploit is particularly concerning within the context of Infostealer malware attacks. These malicious programs are designed to quietly extract sensitive information, such as login credentials, banking details, and personal data, from infected systems.
Infostealers often rely on social engineering tactics to spread, typically using password-protected .rar or .zip files to bypass antivirus scans. However, the 7-Zip zero-day eliminates the need for password protection or complex methods.
The potential for this vulnerability extends far beyond individual users. Many organizations, particularly in supply chain operations, automate workflows that involve extracting files received from external sources.
Such a scenario poses significant risks, including data breaches, ransomware propagation, and widespread operational disruption.
While exploiting this vulnerability is conceptually straightforward, it requires a high degree of technical expertise. For instance, attackers need to craft shellcode capable of functioning within a constrained space of only 100-200 bytes.
Despite this limitation, cybersecurity experts warn that skilled adversaries could readily overcome these challenges, making the exploit a clear and present danger.
The release of this 7-Zip zero-day raises broader concerns regarding software vulnerabilities and the responsible disclosure process.
Unlike vulnerabilities reported through official channels, which allow developers time to patch them, public disclosures without warning give attackers an immediate opportunity to exploit unprotected systems.
To compound concerns, “NSA_Employee39” has hinted at the imminent release of another zero-day targeting MyBB, an open-source forum software. If revealed, this could lead to massive breaches and expose sensitive databases from countless online communities.
What Should Users and Organizations Do?
While an official patch for the 7-Zip vulnerability has not yet been released, cybersecurity experts recommend taking immediate action to minimize risk. Key steps include:
- Monitor for Updates: Users and organizations should closely follow updates from 7-Zip’s developers and apply patches as soon as they are released.
- Implement Mitigation Strategies: Organizations should adopt file sandboxing and scanning mechanisms to scrutinize third-party files before processing them.
- Raise Awareness: Conduct training to educate users on the risks of opening unsolicited or suspicious archive files.
- Community Collaboration: Cybersecurity professionals and researchers must collaborate to analyze and counteract the emerging threats posed by this and other exploits.
For defenders, it highlights the urgent need to bolster defenses and maintain vigilance in the face of rapidly evolving threats.
The cybersecurity community now awaits further developments, including a potential fix from 7-Zip’s developers and the promised disclosure of the MyBB zero-day.
In the meantime, organizations and individuals must remain alert, as this exploit demonstrates the far-reaching risks posed to supply chains, critical systems, and users worldwide.
Update:
Igor Pavlov, the creator of 7-Zip, dismissed the claims in the 7-Zip discussion forum’s bugs section, stating: “This report on Twitter is fake. I don’t understand why this Twitter user made such a claim. There is no ACE vulnerability in 7-Zip / LZMA.”
The @NSA_Employee39 account did not provide an immediate response to requests for comment on social media.
Update 4 pm EST:
The @NSA_Employee39 account shared an update on Pastebin: “This vulnerability arises from inadequate validation of the LZMA stream structure which enables malformed input to trigger the overflow and execute arbitrary code. Remember this is a PROOF OF CONCEPT.”
Update 6 pm EST:
Igor Pavlov Denied the statement shared by the X account; he stated that “there is no RC_NORM function in LZMA decoder. Instead, 7-Zip contains RC_NORM macro in LZMA encoder and PPMD decoder. Thus, the LZMA decoding code does not call RC_NORM. And the statement about RC_NORM in the exploit comment is not true.”
Update: Jan 1, 2025 -12:38 am:
Marc R, researcher from kaspersky has stated that the RC_NORM macro is safe and does not present any vulnerabilities.
Thread: Debunking the 7-Zip Exploit PoC
1/
Claim: A proof-of-concept exploit for 7-Zip was shared online, supposedly targeting a vulnerability in the LZMA decoder. The exploit allegedly triggers a buffer overflow in the RC_NORM macro. Let’s dive in and analyze! …— Marc R (@Seifreed) January 1, 2025
Additionally, they confirmed that malformed LZMA streams trigger errors rather than causing overflows, ensuring robustness in handling such cases. Furthermore, the shellcode and offsets included in the proof of concept are non-functional, rendering the exploit ineffective.
#Cyber_Security_News #Hacking_News #Hacking_Tools #Vulnerability #Vulnerability_News #cyber_security #cyber_security_news #data_breach #vulnerability
Оригинальная версия на сайте:
