CVE-2024-11477: 7-Zip Remote Code Execution

Affected versions on 7-zip are vulnerable to remote code execution by a remote attacker. Attackers are able to cause an integer underflow and write to memory. The vulnerability was reported to 7-Zip in June 2024.

Technical Information

Referenced as CVE-2024-11477. 7-zip <24.07 is vulnerable to an integer underflow (we dive into this below) which can lead to remote code execution via a buffer overflow. This is due to improper user input handling. The Zstandard decompression was implemented in a way that allows for a remote attacker to deliver a specially crafted 7-zip file, which, when decompressed, may execute arbitrary code on the victim’s endpoint.

There are currently no known exploits that exist in the wild, and threat intelligence does not indicate that this is being actively exploited yet. It is expected that once a working exploit is developed that exploitation cases will increase.

What is an Integer Underlow?

An integer underflow occurs when an assigned variable is given a value that passes the minimum value that can be assigned to that variable. This is due to the way that memory handles values in binary.

For example, a variable number is the size of 1 byte (8 bits) which only allows for a number to go as low as -128, or 10000000 in binary notation. The most significant bit is reserved to signify whether the number is positive or negative, 1 for negative and 0 positive. Therefore, the lowest possible value is -128 as that would set all bits to 0 excluding the signed bit.

If an operation occurs on number that results in the value being lower than -128 (e.g. -129), then an underflow will occur and the value will be set to maximum value available for the type (e.g. 127) as the signed bit is flipped for the logic of the operation to be maintained. On it’s own an underflow is not exploitable, yet this can allow a threat actor to bypass checks and perform a buffer overflow.

Let’s have a look at the code changes in the 7-zip project that show where the integer underflow occurred. Below is a screenshot of the project commit history (you can view it yourself here). The red indicates old lines of code, green indicates new lines of code.

We can see in the original line 1311 that the code used to assign a Byte constant to a pointer declared in 1310. This type was changed to an unsigned type as this stops negative values being assigned to ptr. Next, we see that the developers added 2 lines which handle the exception created by a miss assigned value, whereas previously the application would simply crash. This would mitigate against an attacker overflowing the stack buffer and writing to memory.

Essentially, the previous version would allow an threat actor to supply a value to the sym variable that would underflow the value and cause a buffer overflow. This would allow them to write to memory and provide arbitrary commands for exploitation.

Mitigation

Fix is applied to 7-zip versions 24.07 and up. It is recommended to upgrade to these versions. Ensure that users are educated on the risks associated with files that come from unknown sources.

If you require assistance with vulnerability management, security operations, or compliance please reach out to our team.