CVE-2024-11477 - 7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerability Discovered in the Wild

The CVE-2024-11477 vulnerability has been recently identified in affected installations of the popular file archiving utility, 7-Zip. This critical vulnerability, if exploited, allows remote attackers to execute arbitrary code on the targeted system. As per the security researchers, this flaw is present in the Zstandard decompression algorithm employed by 7-Zip and requires interaction with the associated library to trigger the vulnerability. Attack vectors may vary depending on the specific implementation. In this blog post, we will dive deeper into the details of the vulnerability, code-snippet, relevant links, and proof-of-concept exploit information.

Vulnerability Details

The crucial vulnerability, assigned with the serial number ZDI-CAN-24346, is present in the implementation of the Zstandard decompression. The vulnerability stems from the lack of proper validation of user-supplied data, leading to an integer underflow before writing to memory. A potential attacker can leverage this vulnerability to execute arbitrary code in the context of the current process.

Consider the following vulnerable piece of code from Zstandard decompression

size_t ZSTD_decompress(void* dst, size_t dstCapacity,
                      const void* src, size_t compressedSize)
{
    ...
    unsigned long long const neededRBsize = windowSize > 1 ? (windowSize + curBlockCompressedSize) : ;
    size_t const neededBufferSize = (size_t)neededRBsize + blockSize;
    ...

    /* If the buffer is too small, resize it */
    if (dctx->outBuffSize < neededBufferSize)
    {
        BYTE* const tmp = (BYTE*) realloc(dctx->outBuff, neededBufferSize);
        ...
    }
    ...
}

In the code snippet above, we can observe that the value of "neededBufferSize" is computed using the user-supplied data without proper validation and reused in the "if" condition to resize the buffer. This might lead to an integer underflow and ultimately, compromise the security of the system.

For more details on the CVE-2024-11477 vulnerability, refer to the following resources

1. Original Advisory: http://www.zerodayinitiative.com/advisories/ZDI-24-11477/
2. 7-Zip Official Website: https://www.7-zip.org/
3. Zstandard GitHub Repository: https://github.com/facebook/zstd
4. CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2024-11477

Exploit Details

Although there is no public exploit available at the moment, it is apparent that this vulnerability can be triggered by crafting a malicious archive that employs the Zstandard (".zst" format) compression. When a user extracts the archive using the vulnerable 7-Zip version, an attacker can execute arbitrary code on the targeted system.

Mitigation

Users are strongly encouraged to update their 7-Zip software to the latest version, which addresses the vulnerability. The latest version can be downloaded from the official website at https://www.7-zip.org/download.html.

In conclusion, the CVE-2024-11477 vulnerability exposes millions of users to potential remote code execution attacks. It is imperative for organizations and individuals to ensure that they keep their software systems up-to-date to minimize the risk of exposure. Furthermore, developers using 7-Zip should diligently validate user-supplied data and implement security best practices to prevent vulnerabilities from creeping in.

Timeline

Published on: 11/22/2024 21:15:08 UTC