I spoke to the researcher on twitter, his claims don't make much sense. He sent me a file he said proved his claims, but it was just some naïve attempt at directory traversal that couldn't possibly work. When I told him that, he said "that file doesn't belong to me anyway" - then explained he was planning his wedding and was too busy to answer more questions.
Logically, if there was a way to escalate privileges via 7-zip, then it could also be exploited with CreateRemoteThread() - why would a heap overflow be necessary? What change to 7-zip has he requested that would prevent that? Why the bizarre drag-and-dropping operation, why not just double click a HTA file?
I suspect there is no heap overflow and no privilege escalation.
Logically, if there was a way to escalate privileges via 7-zip, then it could also be exploited with CreateRemoteThread() - why would a heap overflow be necessary? What change to 7-zip has he requested that would prevent that? Why the bizarre drag-and-dropping operation, why not just double click a HTA file?
I suspect there is no heap overflow and no privilege escalation.