search
githubEdit

Bypassing Mark of the Web with 7zip CVE-2025-0411

hashtag
Introduction

7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.

hashtag
Exploitation Steps

1. Build and Load an EXE

2. Double Compress with 7Zip

3. Test the EXE Callback

4. Look at MOTW

hashtag
Testing for CVE-2025-0411 on a Windows Machine:

Prerequisites:

  • A Windows machine with an outdated version of 7-Zip (prior to version 24.09).

  • A crafted archive designed to exploit the CVE-2025-0411 vulnerability.

Steps:

  1. Prepare the Environment:

    • Ensure that 7-Zip version 24.08 or earlier is installed on the Windows machine.

    • Obtain a crafted archive that exploits the vulnerability. This archive should be designed to bypass the MoTW when extracted.

  2. Conduct the Test:

    • Download the crafted archive from an external source (e.g., via a web browser) to ensure it receives the MoTW.

    • Right-click the downloaded archive, select "Properties," and verify the presence of the MoTW message: "This file came from another computer and might be blocked to help protect this computer."

    • Use 7-Zip to extract the contents of the archive.

    • After extraction, right-click the extracted files, select "Properties," and check if the MoTW is absent.

    • Attempt to execute the extracted files. If they run without security warnings, it indicates that the MoTW was bypassed successfully.

hashtag
REFERENCES

PreviousApache Solr - CVE-2024-45216NextCVE-2025-24054, NTLM Exploit in the Wild

Last updated