The libraries of the widely used archiving and compression program 7-Zip contain vulnerabilities that allow attackers to have the same rights as logged in users. The vulnerabilities were discovered by Cisco security researcher Jaeson Schultz.
The issues arise from not properly validating the data entered, which can lead to security bugs CVE-2016-2335 and CVE-2016-2334, writes Schultz on the Cisco Talos blog. After the bugs were reported, 7-Zip released a fix in version 16 of the application.
On The Register, Schultz explains that whenever a user with certain privileges executes vulnerable 7-Zip code on the physical system, an attacker can exploit this vulnerability by allowing them to execute code with the same privileges.
The vulnerabilities consist of an out-of-bounds read vulnerability in the way 7-Zip handles UDF files. This problem can be set in motion by providing input with an incorrectly formulated long allocation descriptor.
The other vulnerability takes advantage of a heap overflow vulnerability, which exists in the Archive::NHfs::CHdler::ExtractZlibFile functionality on the Hfs+ file system. It doesn’t check if a block is larger than the size of the buffer, which allows an incorrectly sized block to exceed the buf size, leading to a buffer overflow and then a heap corruption in CVE-2016-2334, explains Schultz out on his blog.
The latest patched version can be downloaded from the 7-Zip site for various operating systems.