CVE-2022-29072: 7-Zip Privilege Escalation Vulnerability

if ((Test-Path -Path "${env:ProgramFiles}\7-Zip\7-zip.chm" -PathType Leaf) -And ((Get-Item "${env:ProgramFiles}\7-Zip\7z.exe").VersionInfo.FileVersion -eq "21.07")) { Remove-Item "${env:ProgramFiles}\7-Zip\7-zip.chm" -Force }
if ((Test-Path -Path "${env:ProgramFiles(x86)}\7-Zip\7-zip.chm" -PathType Leaf) -And ((Get-Item "${env:ProgramFiles(x86)}\7-Zip\7z.exe").VersionInfo.FileVersion -eq "21.07")) { Remove-Item "${env:ProgramFiles(x86)}\7-Zip\7-zip.chm" -Force }```
2 Likes

Probably a hack job of reworking Lime’s log4j detection script, but this will use voidtools search everything app and powershell module to find all instances of 7-zip.chm and delete them. Use at your own risk, I suck at powershell.

Import-Module $env:SyncroModule -DisableNameChecking
if ((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full").Release -lt 528040) {
    Rmm-Alert -Category '7Zip' -Body 'Probably need to update .NET to run this successfully'
}

if (!(Get-Service "Everything Client" -ErrorAction SilentlyContinue)) {
    $PortableEverythingURL = "https://www.voidtools.com/Everything-1.4.1.1015.x64.zip"
    Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
    Invoke-WebRequest -UseBasicParsing -Uri $PortableEverythingURL -OutFile "$($ENV:TEMP)\Everything.zip"
    Expand-Archive "$($ENV:TEMP)\Everything.zip" -DestinationPath $($ENV:Temp) -Force
	Remove-Item "$($ENV:TEMP)\Everything.zip" -Force
    & "$($ENV:TEMP)\everything.exe" -reindex
    Start-Sleep 30
    & "$($ENV:TEMP)\everything.exe" -install-client-service
    $remove = 'no'
}

if (!(get-module -listavailable | where-object {$_.name -like 'PSEverything'})) {
    Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
    Set-PSRepository -Name 'PSGallery' -InstallationPolicy Trusted
    Install-Module PSEverything
}

if (get-module -listavailable | where-object {$_.name -like 'PSEverything'}) {
    Write-Host "The almighty PSEverything module's Search-Everything command was found.`nDoing a new scan because we can..." -ForegroundColor Yellow
    $7zipfiles = $null
    $Timetaken = (measure-command {$7zipfiles = search-everything -global -filter 7-zip.chm}).totalseconds
    
    Write-host "See? That only took $timetaken seconds to scan the entire C: Drive for 7zip files!" -foregroundcolor Green
    }

if ($null -eq $7zipfiles) {
    $getdate = "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') N/A - No 7-zip.chm Files were found on this device"
    Write-Host "$getdate" -ForegroundColor Green
}
else {
    Write-Host "Found files" -ForegroundColor Yellow
    Foreach ($File in $7zipfiles) {
        Write-Host $File
        Remove-Item $File
    }
    Rmm-Alert -Category '7Zip' -Body "$7zipfiles"
    
    
}
if ($remove -eq 'yes') {
    Stop-Process -Name everything -Force
    & "$($ENV:TEMP)\everything.exe" -uninstall-client-service
    Start-Sleep 5
    Remove-Item "$($ENV:TEMP)\everything.exe" -Force
}
1 Like

There has been a lot of talk over on Discord. This CVE only affects version 21.07 and I expect an update will be forthcoming. Removing the .chm file for only that version should block this enough until the update comes out. Removing the help file doesn’t prevent 7-Zip from working. Finally Choco should be setup in your third party app policy to update 7-Zip so this should be automatically updated when available and the script won’t touch the updated version.

1 Like