A new zero-day vulnerability (CVE-2022-29072) has been discovered allowing easy privilege escalation and command execution. A simple drag and drop is all that is needed to complete this. Researchers have found when a file with the .7z extension is dragged to the Help>Contents area it causes a heap overflow in 7zFM.exe which results in privilege escalation (usually to Admin). 7zip has yet to patch the vulnerability however two known mitigations are available:
- Deleting the 7-zip.chm file.
- 7-zip should only be allowed to have read and run permissions for all users.
However it must be noted that this vulnerability is disputed as of writing this article.
Links: https://github.com/sentinelblue/CVE-2022-29072
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29072