Hi Jacob, Thanks for asking.
For all of the following results, I have tested on 7-Zip 25.00 on Debian. Yes, 7-Zip does not resolve `~` in file names/symlink targets. Symlink targets are relative to the extraction directory, so if the user extracts to somewhere in their home directory, an attacker could use the .., ../.., ../../.., etc... strategy to reliably point to `~/.bashrc` or `~/.ssh/authorized_keys`. If, say, the archive is extracted to `/tmp` and the CWD is `/tmp`, then yes, the best an attacker can do is guess the user's login name. However, only specifying the extraction directory with `-o` cannot be used to mitigate this as a malicious actor could use `/proc/self/cwd`. The CWD also needs to be set to a safe directory. Say that a malicious actor is able to point to `~/.bashrc`. By default, `7z x` will present the user with a `Y/n` prompt asking if they want to overwrite `.bashrc`. However, 7-Zip displays the path of `.bashrc` before symlink resolution, so an attacker can hide every part of the path except for the file basename. Here is a sample message: ``` Would you like to replace the existing file: Path: ./malicious_link/.bashrc Size: 3526 bytes (4 KiB) Modified: 2025-04-18 22:47:34 with the file from archive: Path: malicious_link/.bashrc Size: 5 bytes (1 KiB) Modified: 1970-01-01 00:00:00 ? (Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit? ``` Of course, this prompt is not displayed if the targeted file does not already exist. Similarly, for `7z l`, symlinks targets are not listed, so an attacker can hide every part of the path except for the file basename. On Sat, Aug 9, 2025 at 8:10 PM Jacob Bachmeyer <jcb62...@gmail.com> wrote: > On 8/9/25 15:46, lunbun wrote: > > [...] > > > > ## Details > > > > 7-Zip before 25.01 does not always properly handle symbolic links during > > extraction. Prior to 25.01, it was possible for a maliciously-crafted > > archive > > to create an unsafe symbolic link. 7-Zip follows symbolic links when > > extracting, so this leads to arbitrary file write. > > > > An attacker may leverage this arbitrary file write to achieve > unauthorized > > access/code execution, such as by overwriting a user's SSH keys or > > .bashrc file > > [1]. In one extraction, an attacker may attempt several times to > > leverage this > > vulnerability to write to sensitive files. > > How much does the attacker have to guess here? Somehow I doubt that > 7-Zip resolves "~" in file names or symlink targets. (I understand that > the attacker can simply pack multiple symlinks into the archive.) > > To target .bashrc or replace the SSH authorized_keys file, does the > attacker need to know the user's login name, or is it possible to simply > list relative symlink targets using .., ../.., ../../.., etc. and hope > that the archive is being extracted somewhere below the user's home > directory, as opposed to somewhere under /tmp? > > Does a malicious archive produce suspicious output when listed with `7z > l`? Is this more of a concern for systems that automatically extract > archives and incautious users or is this actually a general problem? > > > -- Jacob > > >
