I don't understand security stuff really (the computer misbehaves frequently enough when I'm not trying to do evil things to it, why would I try to make it worse?) but this seems a little weird to me. Why does 7zip even have admin privileges to give away, in the first place? It seems to be based on some odd interaction with the help system but I can't really parse the description.
The description of the bug seems a bit weird
> At this stage, 7-zip stated that the vulnerability was caused by hh.exe, but they were told that if there was a command injection from hh.exe, a child process should be created under hh.exe, so especially the heap-overflow side of this vulnerability will not be shared with the community.
I think this is a reference to a conversation with the people behind 7-zip (?). It seems like a weird mix of technical details and finger-pointing.
> As it is known, Microsoft HELPER ie hh.exe file "html help. full name microsoft html help executable. Program that opens help files with the chm extension." has been defined as. Many operations such as XXE, Command Execution are performed through the hh.exe file. It is possible to see vulnerabilities such as XXE or command execution in every program that uses the hh.exe interface. This issue came to my mind after the discovery of the XXE vulnerability detected by WinRAR. (https://www.exploit-db.com/exploits/47526) Although the developers of 7-zip say that Microsoft should fix the command execution authority obtained from hh.exe at this point, it has been observed that at the end of the day, thanks to the heap overflow in 7zFM.exe and the command execution feature in hh.exe, privilege elevation is provided in the administrator mode.
Seems like a pretty solid argument from the 7zip folks, right? They can't really be blamed if the Windows help system has decided to give them root for some reason. And since 7zip is partially open source, any would-be hacker could just grab an old version of the code if they wanted to weaponize this, right?
The description of the bug seems a bit weird
> At this stage, 7-zip stated that the vulnerability was caused by hh.exe, but they were told that if there was a command injection from hh.exe, a child process should be created under hh.exe, so especially the heap-overflow side of this vulnerability will not be shared with the community.
I think this is a reference to a conversation with the people behind 7-zip (?). It seems like a weird mix of technical details and finger-pointing.
> As it is known, Microsoft HELPER ie hh.exe file "html help. full name microsoft html help executable. Program that opens help files with the chm extension." has been defined as. Many operations such as XXE, Command Execution are performed through the hh.exe file. It is possible to see vulnerabilities such as XXE or command execution in every program that uses the hh.exe interface. This issue came to my mind after the discovery of the XXE vulnerability detected by WinRAR. (https://www.exploit-db.com/exploits/47526) Although the developers of 7-zip say that Microsoft should fix the command execution authority obtained from hh.exe at this point, it has been observed that at the end of the day, thanks to the heap overflow in 7zFM.exe and the command execution feature in hh.exe, privilege elevation is provided in the administrator mode.
Seems like a pretty solid argument from the 7zip folks, right? They can't really be blamed if the Windows help system has decided to give them root for some reason. And since 7zip is partially open source, any would-be hacker could just grab an old version of the code if they wanted to weaponize this, right?
But maybe there's something I'm missing.