An gano wani rauni (CVE-7-2022) a cikin 29072-Zip mai ajiyar kyauta, wanda ke ba da izinin aiwatar da umarni na sabani tare da gata na SYSTEM ta hanyar matsar da fayil ɗin da aka tsara musamman tare da tsawo na .7z zuwa yankin tare da alamar da aka nuna lokacin buɗewa. menu na "Taimako> Abun ciki". Matsalar tana bayyana ne kawai akan dandamalin Windows kuma tana faruwa ne ta hanyar haɗakar kuskuren 7z.dll da buffer ambaliya.
Abin lura ne cewa bayan an sanar da matsalar, masu haɓaka 7-Zip ba su yarda da raunin ba kuma sun bayyana cewa tushen raunin shine tsarin Taimako na Microsoft HTML (hh.exe), wanda ke gudanar da lambar lokacin da aka motsa fayil ɗin. Mai binciken wanda ya gano raunin ya yi imanin cewa hh.exe yana da hannu kawai a kaikaice wajen amfani da raunin, kuma an ƙaddamar da umarnin da aka ƙayyade a cikin amfani a cikin 7zFM.exe a matsayin tsarin yara. Dalilan yiwuwar kai hari ta hanyar alluran umarni an ce su ne buffer ambaliya a cikin tsarin 7zFM.exe da saitunan haƙƙin da ba daidai ba don ɗakin karatu na 7z.dll.
A matsayin misali, ana nuna fayil ɗin taimako na samfurin da ke gudanar da "cmd.exe". An kuma sanar da cewa za a shirya wani amfani wanda zai ba mutum damar samun gata na SYSTEM a cikin Windows, amma an shirya buga lambar sa bayan an fitar da sabuntawar 7-Zip wanda ke kawar da rauni. Tun da har yanzu ba a buga gyare-gyaren ba, a matsayin hanyar kariya, an ba da shawarar iyakance damar karantawa da gudanar da shirin 7-zip kawai.
source: budenet.ru