On 8/9/25 15:46, lunbun wrote:
[...]
## Details
7-Zip before 25.01 does not always properly handle symbolic links during
extraction. Prior to 25.01, it was possible for a maliciously-crafted
archive
to create an unsafe symbolic link. 7-Zip follows symbolic links when
extracting, so this leads to arbitrary file write.
An attacker may leverage this arbitrary file write to achieve unauthorized
access/code execution, such as by overwriting a user's SSH keys or
.bashrc file
[1]. In one extraction, an attacker may attempt several times to
leverage this
vulnerability to write to sensitive files.
How much does the attacker have to guess here? Somehow I doubt that
7-Zip resolves "~" in file names or symlink targets. (I understand that
the attacker can simply pack multiple symlinks into the archive.)
To target .bashrc or replace the SSH authorized_keys file, does the
attacker need to know the user's login name, or is it possible to simply
list relative symlink targets using .., ../.., ../../.., etc. and hope
that the archive is being extracted somewhere below the user's home
directory, as opposed to somewhere under /tmp?
Does a malicious archive produce suspicious output when listed with `7z
l`? Is this more of a concern for systems that automatically extract
archives and incautious users or is this actually a general problem?
-- Jacob
