Heap-based buffer overflow in 7-Zip - CVE-2007-4725
Published: September 5, 2007 / Updated: September 19, 2020
Vulnerability identifier: #VU46811
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2007-4725
CWE-ID: CWE-122
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: 7-zip.org
Affected software:
7-Zip
7-Zip
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Stack consumption vulnerability in AkkyWareHOUSE 7-zip32.dll before 4.42.00.04, as derived from Igor Pavlov 7-Zip before 4.53 beta,. A remote attacker can use a long filename in an archive to trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
How to mitigate CVE-2007-4725
Install update from vendor's website.
Sources
- http://akky.cjb.net/security/7-zip3.txt
- http://jvn.jp/jp/JVN%2362868899/index.html
- http://osvdb.org/40482
- http://secunia.com/advisories/26624
- http://sourceforge.net/project/shownotes.php?release_id=535160&group_id=14481
- http://www.securityfocus.com/bid/25545
- http://www.vupen.com/english/advisories/2007/3086
- https://exchange.xforce.ibmcloud.com/vulnerabilities/36459