Flaw in NTFS Compression Logic
A high severity vulnerability has been discovered in version 26.00 of the popular 7-Zip archiving tool. The flaw exists within the program’s NTFS archive handler, specifically in how it calculates buffer sizes for compressed data streams. When the tool processes a maliciously crafted NTFS image that sets certain parameters in a specific way, an integer overflow occurs in the C++ code. This causes the program to allocate an extremely small buffer of only one byte, while the subsequent read operation attempts to write up to 256 megabytes of attacker controlled data into that minuscule space.
Exploitation and Impact
This memory corruption leads to what security researchers call a vtable hijack. The object managing the stream data is located on the heap just after the undersized buffer. During the first large write operation, the attacker’s data overwrites the object’s internal function pointer table. On the next iteration, the program uses these corrupted pointers, giving the attacker full control over execution flow. Both 32-bit and 64-bit systems are vulnerable, though on systems with limited memory the attack may be restricted to a denial of service condition. A particularly concerning aspect is that the exploit does not depend on file extension. The NTFS handler activates based on internal file signatures, so a malicious file disguised with any extension such as .zip or .rar can still trigger the vulnerable code path. Users need only open the file to be compromised. All versions of 7-Zip through 26.00 contain the defective code.
Source: Cyber Security News
