https://www.zerodayinitiative.com/advisories/ZDI-25-045/ discloses:
7-Zip Mark-of-the-Web Bypass Vulnerability
ZDI-25-045
ZDI-CAN-25456
CVE ID CVE-2025-0411
CVSS SCORE 7.0, AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
AFFECTED VENDORS 7-Zip
AFFECTED PRODUCTS 7-Zip
VULNERABILITY DETAILS
This vulnerability allows remote attackers to bypass the Mark-of-the-Web
protection mechanism on affected installations of 7-Zip. User interaction
is required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the handling of archived files. When
extracting files from a crafted archive that bears the Mark-of-the-Web,
7-Zip does not propagate the Mark-of-the-Web to the extracted files.
An attacker can leverage this vulnerability to execute arbitrary code in
the context of the current user.
Fixed in 7-Zip version 24.09
DISCLOSURE TIMELINE
2024-10-01 - Vulnerability reported to vendor
2025-01-19 - Coordinated public release of advisory
2025-01-19 - Advisory Updated
CREDIT Peter Girnus - Trend Micro Zero Day Initiative
https://www.7-zip.org/history.txt lists this fix in the 24.09 release as:
- The bug was fixed: 7-Zip File Manager didn't propagate Zone.Identifier stream
for extracted files from nested archives (if there is open archive inside
another open archive).
As explained on https://en.wikipedia.org/wiki/Mark_of_the_Web
the Zone.Identifier metadata is what Microsoft Windows platforms use
to track where files were downloaded from in order to warn you if you
are opening a file from a remote website.
Correspondingly, the Zone.Identifier handling code in
7z2409-src/CPP/7zip/UI/Common/ArchiveExtractCallback.cpp
is wrapped inside "#if defined(_WIN32)".
--
-Alan Coopersmith- alan.coopersm...@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
