关联漏洞
标题:
7-Zip 缓冲区错误漏洞
(CVE-2022-29072)
描述:7-Zip是一个压缩软件。 7-Zip 21.07存在安全漏洞,该漏洞允许在扩展名为 .7z 的文件被拖到帮助>内容区域时进行权限升级和命令执行。这是由 7z.dll 配置错误和堆溢出引起的。该命令在7zFM.exe进程下的子进程中运行。
描述
** DISPUTED ** 7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process, NOTE: multiple third parties have reported that no privilege escalation can occur.
介绍
# CVE-2022-29072
> 7-Zip through 21.07 on Windows allows privilege escalation and command
> execution when a file with the .7z extension is dragged to the
> Help\>Contents area.
# Uncertainty
There is quite a bit of uncertainty regarding this CVE in the public. The NIST vuln details has placed a status of "awaiting analysis" for this CVE.
The mitigation of this "potential" vulnerability calls for removing the 7-Zip help file ("7-zip.chm") from the installation directory of 7-Zip. If we err on the side of caution here, at worst, the file is removed, the few users who use the help file will not be able to, and the help file will be re-installed in the next application update cycle.
> ** DISPUTED ** 7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process, NOTE: multiple third parties have reported that no privilege escalation can occur.
# Overview
While the POC for privilege escalation at the GitHub repository below has not
been released (thankfully; and it appears the author isn't keen on releasing it for reasons that are their own). We recommend you perform the current recommended
mitigation in place which is to remove the “7zip.chm” (compressed HTML help
file) from the installation directory in the meantime.
As well, utilize your SIEM (Microsoft Sentinel) to setup alerting of interactions between the
“7zip.chm” file with other utilities such as “cmd.exe”, “powershell.exe”, or
“pwsh.exe” to be alerted of any activity. We chose to replicate the CVE author's [sigma rule](https://github.com/kagancapar/CVE-2022-29072/blob/main/7z_CVE-2022-29072.yml) to generate alerts via Sentinel.
Visit the "[scripts](https://github.com/sentinelblue/CVE-2022-29072/tree/main/scripts)" and "[Microsoft Sentinel](https://github.com/sentinelblue/CVE-2022-29072/tree/main/Sentinel)" directories for more information.
## References
<https://github.com/kagancapar/CVE-2022-29072>
<https://nvd.nist.gov/vuln/detail/CVE-2022-29072>
文件快照
[4.0K] /data/pocs/251d689dc6a58c663fc126f65519fdf7dd851920
├── [1.2K] LICENSE
├── [2.1K] README.md
├── [4.0K] scripts
│ └── [2.6K] Remove-7ZipHelpFile.ps1
└── [4.0K] Sentinel
├── [4.1K] cve-2022-29072_7-zip_priv_escalation.json
├── [1.8K] cve-2022-29072_7-zip_priv_escalation.yaml
├── [1.4K] example_security_eid_4688.xml
├── [2.0K] example_sysmon_eid_1.xml
├── [ 530] hunting.kql
└── [2.5K] readme.md
2 directories, 9 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。