CVE-2018-10172 in 7-zip
Summary
by MITRE
7-Zip through 18.01 on Windows implements the "Large memory pages" option by calling the LsaAddAccountRights function to add the SeLockMemoryPrivilege privilege to the user's account, which makes it easier for attackers to bypass intended access restrictions by using this privilege in the context of a sandboxed process.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/28/2025
The vulnerability identified as CVE-2018-10172 resides within the 7-Zip compression utility version 18.01 and earlier on Windows operating systems. This issue stems from how the software handles memory management through its implementation of large memory pages functionality. When users enable the "Large memory pages" option, the application invokes the Windows Local Security Authority (LSA) function LsaAddAccountRights to grant the SeLockMemoryPrivilege privilege to the current user account. This privilege allows processes to lock memory pages in physical RAM, preventing them from being swapped to virtual memory. The flaw becomes significant because it creates an unintended escalation path that undermines the security boundaries typically enforced by sandboxing mechanisms.
The technical exploitation of this vulnerability occurs when an attacker leverages the SeLockMemoryPrivilege privilege within a sandboxed process environment. Normally, sandboxing techniques restrict processes from accessing certain system resources or privileges to prevent unauthorized access to sensitive data or system functions. However, by granting the SeLockMemoryPrivilege through the LsaAddAccountRights function, 7-Zip effectively provides attackers with a mechanism to bypass these intended access controls. This privilege enables the locking of memory pages, which can be used to circumvent memory protection mechanisms and potentially access memory regions that would otherwise be restricted. The vulnerability manifests as a privilege escalation vector that transforms a sandboxed process into one with elevated capabilities.
From an operational perspective, this vulnerability presents a serious risk to systems running vulnerable versions of 7-Zip. The impact extends beyond simple privilege escalation to potentially enable more sophisticated attacks such as memory scraping, process injection, or other techniques that rely on elevated memory access rights. Security researchers have noted that this vulnerability aligns with CWE-269, which deals with inadequate privilege management, and the ATT&CK framework's privilege escalation techniques. The vulnerability essentially undermines the security model of sandboxed applications by providing a backdoor mechanism through which attackers can gain access to memory locking capabilities that should remain restricted to system-level processes or administrators.
Organizations and security practitioners should implement immediate mitigations to address this vulnerability. The primary recommendation involves upgrading to 7-Zip version 18.02 or later, where the problematic implementation has been corrected. Additionally, system administrators should review and restrict the execution of 7-Zip in sandboxed environments where possible, particularly in high-security contexts. The mitigation strategy should also include monitoring for unauthorized privilege changes through Windows event logging, specifically focusing on LsaAddAccountRights function calls. Security controls should be enhanced to detect suspicious privilege escalation attempts and ensure that the SeLockMemoryPrivilege is not granted unnecessarily to user accounts. Network security measures should also include monitoring for exploitation attempts that might leverage this vulnerability in conjunction with other attack vectors.