An X user using the handle @NSA_Employee39 disclosed a zero-day vulnerability in the open-source file archive software 7-Zip.—————————————————————————————————————————–A verified X account, @NSA_Employee39, claimed to disclose a zero-day vulnerability in the open-source file archive software 7-Zip.The X user announced it would be ‘dropping 0days all this week,’ starting with an arbitrary code execution vulnerability in the open-source software 7-Zip.An attacker could exploit this vulnerability to execute malicious code on victims’ systems by tricking them to open a specially crafted .7z archive.
> Hey guys, as a thank you to all the new followers, I will be dropping 0days all this week until MyBB. >> Here’s a ACE vulnerability in 7zip. >> (Can’t access GitHb until I get home, sorry lol) >> Offsets might need changing, slight modifications based on victim…> — a (@NSA_Employee39) [December 30, 2024](https://twitter.com/NSA_Employee39/status/1873644808998367272?ref_src=twsrc%5Etfw)
The users published the [exploit code](https://pastebin.com/KxQYFqwR) for this zero-day vulnerability on Pastebin.’*This exploit targets a vulnerability in the LZMA decoder of the 7-Zip software. It uses a crafted .7z archive with a malformed LZMA stream to trigger a buffer overflow condition in the RC_NORM function. By aligning offsets and payloads, the exploit manipulates the internal buffer pointers to execute shellcode which results in arbitrary code execution.’ [wrote](https://pastebin.com/KxQYFqwR) on Pastebin. ‘When the victim opens/extracts the archive using a vulnerable version (current version) of 7-Zip, the exploit triggers, executing a payload that launches calc.exe (You can change this).* ‘However, many experts criticized the claim, stating that the exploit does not work and that the zero-day vulnerability does not exist.> maybe I just suck but I don’t think this is real. >> been messing with this PoC for over an hour and can’t get it to do anything. no crashes, no hangs. doesn’t timeout. >> ALSO: why are you hardcoding function addresses in windows shellcode? PEB walk? smells weird. > — Low Level (@LowLevelTweets) [December 30, 2024](https://twitter.com/LowLevelTweets/status/1873747408976507267?ref_src=twsrc%5Etfw)The author of 7zip, Igor Pavlov, claims that this vulnerability is fake, he explained that there is no `RC_NORM` function in LZMA decoder. ‘*The common conclusion is that this fake exploit code from Twitter was generated by LLM (AI).* ‘ [wrote](https://sourceforge.net/p/sevenzip/bugs/2539/) Pavlov.’*The comment in the ‘fake’ code contains the statement:*> This exploit targets a vulnerability in the LZMA decoder of the 7-Zip software. It uses a crafted .7z archive with a malformed LZMA stream to trigger a buffer overflow condition in the RC_NORM function.’*But there is no `RC_NORM` function in LZMA decoder.Instead, 7-Zip contains `RC_NORM` macro in LZMA encoder and PPMD decoder. Thus, the LZMA decoding code does not call `RC_NORM`. And the statement about `RC_NORM` in the exploit comment is not true.*’Follow me on Twitter: [**@securityaffairs**](https://twitter.com/securityaffairs) and [**Facebook**](https://www.facebook.com/sec.affairs) and [Mastodon](https://infosec.exchange/@securityaffairs)[**Pierluigi Paganini**](http://www.linkedin.com/pub/pierluigi-paganini/b/742/559)**(** [**SecurityAffairs**](http://securityaffairs.co/wordpress/)**–** **hacking, zero-day)**
Related Tags:
NAICS: 519 – Web Search Portals
Libraries
Archives
Other Information Services
NAICS: 339 – Miscellaneous Manufacturing
NAICS: 33 – Manufacturing – Metal
Electronics And Other
NAICS: 51 – Information
Blog: Security Affairs
Exploitation for Client Execution
Obfuscated Files or Information
Associated Indicators:
https://t.co/67n0YBygO6