intro

7z is a popular tool used for compression purpose, but the Meow of it can be very dangerous too if not used correctly. We’ll discuss this topic in this article

Zipping a symbolic link

Ever thought about how 7z will behave when facing a symbolic link? will it archive the link as a text file or will it archieve the linked directory? The answer is always: it depends.

In this case study, let’s look at how the flag -snl would impact the use of 7z.

Let’s first create the test environment

  • create a folder called test and a file named file1
  • create a secret folder at /tmp/secrets and a credential file at /tmp/secrets/credential
  • create a symlink in /test that points to /tmp/secrets
  • 7z the folder /test with the flag -snl and see what happens
┌──(root㉿kali)-[~/workspace/Meow]
└─# mkdir test    

┌──(root㉿kali)-[~/workspace/Meow]
└─# echo 1 > test/file1

┌──(root㉿kali)-[~/workspace/Meow]
└─# ls -ls test
total 4
4 -rw-r--r-- 1 root root 2 Apr 21 23:12 file1

┌──(root㉿kali)-[~/workspace/Meow]
└─# mkdir /tmp/secrets     

┌──(root㉿kali)-[~/workspace/Meow]
└─# echo secret > /tmp/secrets/credential

┌──(root㉿kali)-[~/workspace/Meow]
└─# ln -s /tmp/secrets test/secrets

┌──(root㉿kali)-[~/workspace/Meow]
└─# ls -ls test                    
total 4
4 -rw-r--r-- 1 root root  2 Apr 21 23:12 file1
0 lrwxrwxrwx 1 root root 12 Apr 21 23:13 secrets -> /tmp/secrets

┌──(root㉿kali)-[~/workspace/Meow]
└─# 7za a test.zip -tzip -snl -- test/*

7-Zip (a) 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20
 64-bit locale=en_US.UTF-8 Threads:32 OPEN_MAX:1024

Scanning the drive:
2 files, 2 bytes (1 KiB)

Creating archive: test.zip

Add new data to archive: 2 files, 14 bytes (1 KiB)

    
Files read from disk: 2
Archive size: 304 bytes (1 KiB)
Everything is Ok

┌──(root㉿kali)-[~/workspace/Meow]
└─# ls         
dash_id_rsa  hash  nmap_tcp_all.nmap  nmap_udp_all.nmap  project.zip  p.sh  pspy64  rootfs  test  test.zip  w.jpg

┌──(root㉿kali)-[~/workspace/Meow]
└─# unzip -v test.zip 
Archive:  test.zip
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
--------  ------  ------- ---- ---------- ----- --------  ----
       2  Stored        2   0% 2024-04-21 23:12 6751fc53  test/file1
      12  Stored       12   0% 2024-04-21 23:13 fd393b12  test/secrets
--------          -------  ---                            -------
      14               14   0%                            2 files

As you can see, the symlink is not treated as a directory, hence the credential file is not included. Upon openning the test.zip, the link secrets is presented as a file with the following content.

ERROR: Dangerous link path was ignored : secrets : /tmp/secrets

However, if the flag -snl is not supplied, the credential file will be included. This is the dangerous part.

┌──(root㉿kali)-[~/workspace/Meow]
└─# 7za a test.zip -tzip -- test/*

7-Zip (a) 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20
 64-bit locale=en_US.UTF-8 Threads:32 OPEN_MAX:1024

Scanning the drive:
1 folder, 2 files, 9 bytes (1 KiB)

Creating archive: ../test.zip

Add new data to archive: 1 folder, 2 files, 9 bytes (1 KiB)

    
Files read from disk: 2
Archive size: 429 bytes (1 KiB)
Everything is Ok
Archive:  ../test.zip
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
--------  ------  ------- ---- ---------- ----- --------  ----
       2  Stored        2   0% 2024-04-21 23:12 6751fc53  file1
       0  Stored        0   0% 2024-04-22 00:03 00000000  secrets/
       7  Stored        7   0% 2024-04-21 23:13 e2ebb28c  secrets/credential
--------          -------  ---                            -------
       9                9   0%                            3 files

However, the behaviour of -snl is not consistent for some earlier versions of 7zip, for example:

7-Zip (a) [64] 16.02

So, make sure to use the official 7zip and keep things up to date.

Support meowmeow

If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack