7-Zip, a free open source file archiver has been diagnosed with a flagrant vulnerability (CVE-2022-29072). It has been revealed that dragging a specially-tailored file into the application’s Help>Contents menu area potentially allows execution of any commands with system privileges. The vulnerability exists on Windows platforms and it originates from incorrect settings of 7z.dll library combined with clipboard overload.
After receiving the notification 7-Zip developers did not admit their responsibility for the vulnerability. They insisted that the effect occurred because of the hh.exe (Microsoft HTML Helper). This process is launched during drag-and-drop in Windows. The researcher who discovered the vulnerability notes that the hh.exe is not the primary cause of the vulnerability, for the scripts of the exploit are launched as a 7zFM.exe child process. A potential attack via command injection is possible due to the 7zFM.exe clipboard being overloaded and faulty 7z.dll settings.
A help file that opened a cmd.exe via injected commands was used as an example. Although it has been reported by third parties that privilege escalation cannot occur in this case, the exploit to gain System privileges is said to be developed. It won’t be published until the release of a respective patch that will clear this 7-Zip vulnerability. Before the fix is released, the relevant safety measure is limiting access for 7-zip (read and run only).