If you click through to the original advisory it becomes clear, why this is rated quite low: because of what you said. Quote:
An attacker may leverage this arbitrary file write to achieve unauthorized access/code execution, such as by overwriting a user’s SSH keys or .bashrc file
You can write to whatever the user has access, but that’s usually your home. To wreak havoc you need to either be lucky, or use some somewhat known files and paths that you can reasonably expect to exist - such as ~/.ssh/config or ~/.ssh/known_hosts or maybe a private ssh key. Otherwise you could add an alias to the shell profile for a command that you expect the user to run (e.g. alias ls to rm -rf ~). You could get quite creative with the last one (e.g. alias apt, dnf, zypper, etc. to any executable you want to run with sudo).
Edit: Why the fuck does Lemmy change a tilde to whatever attempt at turning it into an html tag that is?!
For Linux systems, attackers need the target to be using a vulnerable 7-Zip version while extracting an archive format that supports symbolic links, such as ZIP, TAR, 7Z, or RAR files.
On Windows systems, additional requirements must be met for successful exploitation. The 7-Zip extraction process must have elevated privileges or operate in Windows Developer Mode to create symbolic links. This makes Windows systems somewhat less susceptible but not immune to the attack.
So Linux users would have to scan for symbiotic links beforehand, and Windows users just need to never run with elevated privileges, or scan beforehand if they do (I’m assuming that elevated privileges means “run as administrator”?)
threaded - newest
How is a 7-zip user process able to write to system files, even if it is a symlink?
Either the security issue is outside 7-zip or this writeup doesn't make much sense.
If you click through to the original advisory it becomes clear, why this is rated quite low: because of what you said. Quote:
You can write to whatever the user has access, but that’s usually your home. To wreak havoc you need to either be lucky, or use some somewhat known files and paths that you can reasonably expect to exist - such as
~/.ssh/configor~/.ssh/known_hostsor maybe a private ssh key. Otherwise you could add an alias to the shell profile for a command that you expect the user to run (e.g. aliaslstorm -rf ~). You could get quite creative with the last one (e.g. aliasapt,dnf,zypper, etc. to any executable you want to run with sudo).Edit: Why the fuck does Lemmy change a tilde to whatever attempt at turning it into an html tag that is?!
Just escape any special char with
\Found the problem, it’s just the app Jerboa that somehow renders it strangely. Lemmy itself seems to behave fine
as
WinRAR users, you’re not safe either. CVE-2025-8088 published a few days ago looks like it’s exploiting the same/similar pathway.
From the article about what is vulnerable:
So Linux users would have to scan for symbiotic links beforehand, and Windows users just need to never run with elevated privileges, or scan beforehand if they do (I’m assuming that elevated privileges means “run as administrator”?)