After all, it could have been an actual exploit, not a buggy application. If 7-zip doesn't have admin privilege to begin with, whatever bug it has shouldn't have allowed it to obtain the privilege. The fix has to be the root cause that would prevent escalation even with a vulnerable application, or generic mitigation like application blacklisting, signature detection or application sandboxing. People can actively write exploits, let alone copying some vulnerable binary to trigger some known exploit. If you assume the local user is malicious, then you are totally right. This is largely true for all local privilege escalation vulnerabilities. This means that the vulnerability isn't really with 7zip at all, but with Microsoft, and there is no type of mitigation until Microsoft patches it.Depends on the threat model, whether you consider your end user trusted or not. So that means there really is no mitigation to this other than, maybe, application blacklisting?Įxpanding on the above, that means it would be far easier for someone to create a malicious dll file that explots the inherent vulnerability in Microsoft's CHM system, and then you have an exploit that doesn't depend on 7zip at all. Its typical for the "uninstallstring" to actually be an installation string so if you wish to script it silently the string needs to be modified slightly.Stealth006 said:The mitigation steps don't quite make sense to me, because if someone really wanted to exploit this, they would just have to download the affected 7zip executable, the affected chm file, and the specifically crafted 7z file to any system, and voila.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |