A recent claim of a zero-day vulnerability in the popular file compression software 7-Zip has been disputed by the program's developer, raising questions about the legitimacy of the reported security flaw.
The controversy began when a social media user (X/Twitter) operating under the handle "NSA_Employee39" posted claims about discovering an ACE vulnerability in 7-Zip, sharing what they described as exploit code through Pastebin.
The user suggested the vulnerability could allow arbitrary code execution through specially crafted archives when opened with the current version of 7-Zip.
However, Igor Pavlov, the developer of 7-Zip, promptly responded to these claims on the project's SourceForge page, stating unequivocally that "This report on Twitter is fake" and "There is no such ACE vulnerability in 7-Zip/LZMA." The developer's response has cast significant doubt on the validity of the purported exploit.
Adding to the skepticism, security engineer attempting to verify the exploit have reported difficulties reproducing the claimed vulnerability.
One researcher, posting under the handle @LowLevelTweets, documented their unsuccessful attempts to execute the proof-of-concept code, noting that after "messing with this PoC for over an hour," they couldn't achieve any results - experiencing no crashes, hangs, or timeouts.
The researcher also raised technical concerns about the exploit code itself, questioning why function addresses were hardcoded in Windows shellcode and noting suspicious aspects of the PEB (Process Environment Block) walk implementation.
The alleged vulnerability was initially reported to target 7-Zip's LZMA decoder, supposedly exploiting a buffer overflow condition in the RC_NORM function. If sucessfully exploited could allow attackers to execute arbitrary code on victims' systems through specially crafted archive files.
Last month, a critical security vulnerability in 7-zip has been discovered by security researcher Nicholas Zubrisky of Trend Micro Security Research, allowing remote attackers to execute malicious code through specially crafted archives. The flaw was tracked as CVE-2024-11477 carries a high CVSS score of 7.8 and affects recent versions of the software.
The vulnerability specifically exists within 7-Zip's implementation of Zstandard decompression, where improper validation of user-supplied data can result in an integer underflow before writing to memory.
You should also check an awesome follow-up video from Low Level (@LowLevelTweets) -
Update-
Just now exploit dropper @NSA_Employee39 has posted a message explaing the flaw, which reads -
Hi Idor! The issue lies in the RC_NORM macro in LzmaDec.c. This macro normalizes range and code values during decoding and increments the buf pointer (`p->buf++`) without verifying if it exceeds allocated memory or the bufLimit. The lack of bounds checking allows a custom forged LZMA stream to manipulate range and code which causes the buf pointer to overflow into adjacent memory. By designing the LZMA stream with very low frequency symbols, we can exploit this to overwrite critical memory regions like as return addresses or function pointers. To put it simply, this vulnerability arises from inadequate validation of the LZMA stream structure which enables malformed input to trigger the overflow and execute arbitrary code. Remember this is a PROOF OF CONCEPT