OFFSITE.DARK
← Signals

Jun 29, 2026

1 min

Sploitus / Exploitarium

  • 7zip
  • motw
  • windows
  • rar5
  • exploitarium

news

7-Zip RAR5 MotW/ADS Full-Chain PoC

Crafted RAR5 STM streams overwrite extracted file bytes and Zone.Identifier on 7-Zip 26.01 — MotW bypass chain.

Summary

Crafted RAR5 STM streams overwrite extracted file bytes and Zone.Identifier on 7-Zip 26.01 — MotW bypass chain. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.

Key Findings

FindingDetail
Product / target7-Zip 26.01 x64 (Windows NTFS)
CVERelated to MotW/archive handling research (see CVE-2025-0411 class)
PrimitiveRAR5 ::$DATA and :Zone.Identifier:$DATA STM records
ImpactAttacker-controlled visible file content plus ZoneId=0 on extracted files when Internet-zone archive propagates MotW.

Attack Chain

Build RAR5 → mark archive ZoneId=3 → extract with `-snz1` → verify content + MotW stream

Mitigation

Patch 7-Zip; treat downloaded archives as untrusted; enforce SmartScreen/AppLocker on extracted content.

Related Signals

Sources

→ Source