A vulnerability in the 7-Zip library, specifically the Zstandard decompression algorithm, was investigated. The vulnerability could potentially allow remote code execution through an integer underflow, but exploiting it requires specific conditions and is unlikely to succeed with modern security mitigations. The researcher found and confirmed the vulnerability with fuzz testing and debugging, and it has since been patched in versions 2407 and 2408, so users are advised to update their 7-Zip installations.
7-Zip Vulnerability
• 00:00:05 The 7-Zip vulnerability is related to the Zstandard decompression algorithm within the szip library. The vulnerability was initially reported as a possibility of malicious code execution when extracting a malicious 7-zip archive. However, the researcher found that the specific details of the exploit were not readily available.
Fuzz Testing
• 00:04:02 Fuzz testing was used to explore the potential vulnerabilities within the szip library. The researcher employed AFL GCC to generate random inputs and check code branches to uncover crashes in the program. The fuzzing campaign resulted in identifying over 4,000 crashes, with a subset of them being unique and leading to insights about the potential exploit path.
Crash Triaging
• 00:06:23 Crash triaging involved identifying the exact cause of the crashes discovered during fuzz testing. The process entailed running the program in GDB with crashing inputs to analyze the program's backtraces and crashes. The researcher determined the specific function ('copy chunks') and the sequence of events leading to the crash, understanding that a stream size of zero could cause an overflow.
Exploitability
• 00:10:48 The researcher explored the exploitability of the discovered vulnerability. While the vulnerability is technically exploitable, it requires specific conditions for the crash to occur, which is unlikely to happen in typical circumstances. Modern operating systems and compiler flags like stack canaries, position-independent executables, and NX can mitigate this type of attack, making the exploit more challenging for hackers.
Patching Recommendations
• 00:12:05 The researcher concludes that the vulnerability does exist and recommends updating to 7-Zip version 2407 or 2408. While the vulnerability is theoretically exploitable, modern security mitigations make it difficult to exploit, and the patch resolves the issue. Users are urged to apply the update as soon as possible to protect their systems.