A vulnerability has been identified in the free 7-Zip archiver (CVE-2022-29072), which allows executing arbitrary commands with SYSTEM privileges by moving a specially designed file with the .7z extension to the area with a hint displayed when opening the Help>Contents menu. The issue only occurs on the Windows platform and is caused by a combination of misconfiguration of the 7z.dll library and a buffer overflow.
It is noteworthy that after being notified of the problem, the developers of 7-Zip did not acknowledge the vulnerability and stated that the source of the vulnerability is the Microsoft HTML Helper (hh.exe) process, which runs code when the file is moved. The researcher who identified the vulnerability believes that hh.exe is only indirectly involved in the exploitation of the vulnerability, and the command specified in the exploit is launched in 7zFM.exe as a child process. The reasons for the possibility of carrying out an attack through command substitution (command injection) are called a buffer overflow in the 7zFM.exe process and incorrect setting of rights for the 7z.dll library.
An example of a help file that launches "cmd.exe" is shown as an example. It is also announced that an exploit is being prepared that allows obtaining SYSTEM privileges in Windows, but they plan to publish its code after the release of the 7-Zip update with the vulnerability eliminated. Since fixes have not yet been published, it is proposed as a security workaround to limit access to 7-zip to read and run only.
Source: opennet.ru