diff --git a/SecurityExploits/7-Zip/README.md b/SecurityExploits/7-Zip/README.md new file mode 100644 index 0000000..915716c --- /dev/null +++ b/SecurityExploits/7-Zip/README.md @@ -0,0 +1,36 @@ +# This directory contains proof of concept for GHSL-2025-058 (CVE-2025-53816) and GHSL-2025-059 (CVE-2025-53817) advisories. + +## GHSL-2025-058 (CVE-2025-53816) + +The `rar-crash.rar5` triggers heap buffer write overflow when 7zz 24.09 is compiled with ASAN and extracted, for example as `7zz e -so rar-crash.rar5`. On Windows the same PoC was tested to crash 7-Zip 24.09 even without ASAN. [The advisory](https://securitylab.github.com/advisories/GHSL-2025-058_7-Zip/). + +``` +==2188082==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc75fbcc844 at pc 0x5567af835070 bp 0x7fff7f71ce30 sp 0x7fff7f71c600 +WRITE of size 9469 at 0x7fc75fbcc844 thread T0 + #0 0x5567af83506f in __asan_memset /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:67:3 + #1 0x5567b0167b0c in My_ZeroMemory(void*, unsigned long) /src/7-zip/CPP/7zip/Bundles/Alone2/../../Compress/Rar5Decoder.cpp:63:5 + #2 0x5567b017c257 in NCompress::NRar5::CDecoder::Code(ISequentialInStream*, ISequentialOutStream*, unsigned long const*, unsigned long const*, ICompressProgressInfo*) /src/7-zip/CPP/7zip/Bundles/Alone2/../../Compress/Rar5Decoder.cpp:1905:11 + #3 0x5567aff075c0 in NArchive::NRar5::CUnpacker::Code(NArchive::NRar5::CItem const&, NArchive::NRar5::CItem const&, unsigned long, ISequentialInStream*, ISequentialOutStream*, ICompressProgressInfo*, bool&) /src/7-zip/CPP/7zip/Bundles/Alone2/../../Archive/Rar/Rar5Handler.cpp:1165:24 + #4 0x5567aff24721 in NArchive::NRar5::CHandler::Extract(unsigned int const*, unsigned int, int, IArchiveExtractCallback*) /src/7-zip/CPP/7zip/Bundles/Alone2/../../Archive/Rar/Rar5Handler.cpp:3293:25 + #5 0x5567b0244c0b in DecompressArchive(CCodecs*, CArchiveLink const&, unsigned long, NWildcard::CCensorNode const&, CExtractOptions const&, bool, IExtractCallbackUI*, IFolderArchiveExtractCallback*, CArchiveExtractCallback*, UString&, unsigned long&) /src/7-zip/CPP/7zip/Bundles/Alone2/../../UI/Common/Extract.cpp:235:23 + #6 0x5567b023fe41 in Extract(CCodecs*, CObjectVector const&, CRecordVector const&, CObjectVector&, CObjectVector&, NWildcard::CCensorNode const&, CExtractOptions const&, IOpenCallbackUI*, IExtractCallbackUI*, IFolderArchiveExtractCallback*, IHashCalc*, UString&, CDecompressStat&) /src/7-zip/CPP/7zip/Bundles/Alone2/../../UI/Common/Extract.cpp:542:5 + #7 0x5567b02f9d8a in Main2(int, char**) /src/7-zip/CPP/7zip/Bundles/Alone2/../../UI/Console/Main.cpp:1378:21 + #8 0x5567b0305b34 in main /src/7-zip/CPP/7zip/Bundles/Alone2/../../UI/Console/MainAr.cpp:162:11 +``` + +## GHSL-2025-059 (CVE-2025-53817) + +The `compound-crash.poc` triggers null pointer write dereference when 7zz is compiled with ASAN and extracted, for example as `7zz e -so compound-crash.poc`. On Windows the same PoC was tested to crash 7-Zip 24.09 even without ASAN. [The advisory](https://securitylab.github.com/advisories/GHSL-2025-059_7-Zip/). + +``` +==2387581==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5615317c0993 bp 0x7ffcb31a1350 sp 0x7ffcb31a1300 T0) +==2387581==The signal is caused by a WRITE memory access. +==2387581==Hint: address points to the zero page. + #0 0x5615317c0993 in CRecordVector::AddInReserved(unsigned int) ../../Archive/../../Common/MyVector.h:249:18 + #1 0x5615317bfe66 in NArchive::NCom::CHandler::GetStream(unsigned int, ISequentialInStream**) /src/7-zip/CPP/7zip/Bundles/Alone2/../../Archive/ComHandler.cpp:866:28 + #2 0x5615317bea3d in NArchive::NCom::CHandler::Extract(unsigned int const*, unsigned int, int, IArchiveExtractCallback*) /src/7-zip/CPP/7zip/Bundles/Alone2/../../Archive/ComHandler.cpp:806:20 + #3 0x561531e94bbb in DecompressArchive(CCodecs*, CArchiveLink const&, unsigned long, NWildcard::CCensorNode const&, CExtractOptions const&, bool, IExtractCallbackUI*, IFolderArchiveExtractCallback*, CArchiveExtractCallback*, UString&, unsigned long&) /src/7-zip/CPP/7zip/Bundles/Alone2/../../UI/Common/Extract.cpp:235:23 + #4 0x561531e8fdf1 in Extract(CCodecs*, CObjectVector const&, CRecordVector const&, CObjectVector&, CObjectVector&, NWildcard::CCensorNode const&, CExtractOptions const&, IOpenCallbackUI*, IExtractCallbackUI*, IFolderArchiveExtractCallback*, IHashCalc*, UString&, CDecompressStat&) /src/7-zip/CPP/7zip/Bundles/Alone2/../../UI/Common/Extract.cpp:542:5 + #5 0x561531f49d3a in Main2(int, char**) /src/7-zip/CPP/7zip/Bundles/Alone2/../../UI/Console/Main.cpp:1378:21 + #6 0x561531f55ae4 in main /src/7-zip/CPP/7zip/Bundles/Alone2/../../UI/Console/MainAr.cpp:162:11 +``` \ No newline at end of file diff --git a/SecurityExploits/7-Zip/compound-crash.poc b/SecurityExploits/7-Zip/compound-crash.poc new file mode 100644 index 0000000..d49fa6c Binary files /dev/null and b/SecurityExploits/7-Zip/compound-crash.poc differ diff --git a/SecurityExploits/7-Zip/rar-crash.rar5 b/SecurityExploits/7-Zip/rar-crash.rar5 new file mode 100644 index 0000000..a7cee57 Binary files /dev/null and b/SecurityExploits/7-Zip/rar-crash.rar5 differ