| 1 | | - | # 7-ZipBackdoor |
| | 1 | + | # 7-ZipPostAuth |
| | 2 | + | |
| | 3 | + | Tested on Version 19.00 |
| | 4 | + | |
| | 5 | + | 7-Zip is a free and open-source file archiver, a utility used to place groups of files within compressed containers known as "archives". It is often used to encrypt sensitive file contents that are saved on disk. |
| | 6 | + | |
| | 7 | + | After analysis of the application and the code, the process of opening a file and then reencrypting was understood. |
| | 8 | + | |
| | 9 | + | 1. User inputs the password to open/edit files in an encrypted archive. |
| | 10 | + | 2. 7-Zip makes a new directory in the C:\Users\%USERNAME%\AppData\Local\Temp directory. The new directory has a fixed name that starts with "Rar$" followed by randomly generated numbers. |
| | 11 | + | 3. 7-Zip unencrypts the file(s) in the archive and places them in the above created directory, in plain text. |
| | 12 | + | 4. Once editing is done, 7-zip will reencrypt the data and save it on disk. |
| | 13 | + | 5. 7-Zip will delete the above created directory and delete the plain text files. |
| | 14 | + | |
| | 15 | + | During the duration of opening a file to edit it and closing the file, **the attacker has access to plaintext documents**. |
| | 16 | + | |
| | 17 | + | The script in this repo is a **PoC for exfiltrating sensitive data encrypted by 7-zip** to an external attacker server. This is done in the **post exploitation** phase. |
| | 18 | + | |
