Last summer I decided to look into fuzzing 7zip. I gathered an interesting corpus of archive file with all 7z supported formats and started a fuzzing campaign with AFL++.
After a few days of running, an interesting input was found by the fuzzer. The input, once open, will keep 7zip “decompressing” for unlimited amount of time. The issue was a function improperly checking user input which resulted in an infinite loop.
Considering that 7zip is a critical piece of software used in numerous infrastructure back-end I decided to report the bug to Zero Day Initiative.
And now after a few month the bug is finally disclosed: CVE-2024-11612 – 7-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability.
This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of streams. The issue results from a logic error that can lead to an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.
Here is a file triggering the bug:
- https://www.zerodayinitiative.com/advisories/ZDI-24-1606/
- https://www.7-zip.org/