7-Zip 0day PoC https://pastebin.com/KxQYFqwR

@obivan the source is "nsa_employee39" who posted this on the Bad Place™:

Hey guys, as a thank you to all the new followers, I will be dropping 0days all this week until MyBB.

Here's a ACE vulnerability in 7zip.

@screaminggoat @obivan @cR0w
I'll vouch for it being fake.

The sharing of fake exploits definitely predates the destruction of Twitter by Musk. But I suppose it fits in better now. 😂

@cR0w @wdormann @obivan If I had to verify every proof of concept, it'd be a full time job.

The best that I can do is create an informal shit-list of people and apply a sort of admiralty code and move them up and down a notch based on their claims.

My knowledge is a mile wide and an inch deep so I have to triage the new reports and information as soon as I get them, to avoid being overwhelmed. I trust the person who created 7zip over someone named nsa_employee39 claiming to work for the feds and dropping a supposed 0day.

@screaminggoat @cR0w @wdormann @obivan

If it's a modern widely used app and the memory corruption exploit pops calc but doesn't have rop chains, it's most likely a dud

@ciaranmak @screaminggoat @cR0w @obivan
Yeah, the lack of ROP and ASLR bypass combined with the handle screams fake.
But I figured I'd at least attach a debugger to confirm that it wasn't merely an unfinished exploit.

@screaminggoat @cR0w @obivan
> If I had to verify every proof of concept, it'd be a full time job.

That sorta was my job when we were all at the Bad Place. 😂

@wdormann @screaminggoat @cR0w @obivan

For extra legitimacy they can ask their genAI to add in a realistic looking rop gadget chain 😂

@cR0w @ciaranmak @screaminggoat @obivan
That was my hunch, yeah.
Too much effort for a human.

@buherator @cR0w @screaminggoat @wdormann sorry guys, I didn't verify before sharing it. 😕

@obivan @buherator @cR0w @wdormann someone created an account to argue with Igor Pavlov: https://sourceforge.net/p/sevenzip/bugs/2539/

I don't get their intent. Clout chasing? Trying to justify their ChatGPT Plus subscription?

@obivan @buherator @cR0w @screaminggoat
No worries. A post on here is much less embarrassing than a media outlet publishing on it, which has already started. 😕

@cR0w @screaminggoat @obivan @buherator
It's probably unwise to try to figure out motivation for those who make up fake vulnerabilities. 😂

@wdormann what you said.

@wdormann @obivan @buherator @cR0w

• Infostealers: https://www.infostealers.com/article/7-zip-zero-day-exploit-released-by-hacker-a-new-playground-for-infostealer-supply-chain-attacks/ (taken down)
• The Record: https://therecord.media/fake-zero-day-7Zip
• Cyber Kendra: https://www.cyberkendra.com/2024/12/alleged-7-zip-zero-day-vulnerability.html
• Cyber Security News: https://cybersecuritynews.com/7-zip-zero-day-exploit/

Must be a slow news day. Might as well drop a zero—d OH WAIT.

@screaminggoat @obivan @buherator @cR0w @wdormann "can you provide source code to back it up" from the new account is ultimate trolling

@cR0w @wdormann @screaminggoat @obivan @buherator if it were students, tbh I'd respect it.

@cR0w @wdormann @screaminggoat @obivan @buherator Information literacy is the core competency of our age. Demonstrating just how low it is = public service :)

@cR0w @wdormann @screaminggoat @obivan @buherator admittedly I'm not part of any academic circles at this point, and I pretty much ignore the thoughtfluency/think-leadery narratives on any given cybertopic™ (much to our PR teams' chagrin, sorry PR fam!), but I'm referring pretty specifically to the ability to separate vulnerability BS from technical reality. I'm sure there's a much more controversial, buzzword-heavy thoughtfluencer narrative around information literacy generally, but I see on the regular how the inability to use primary sources and actual, technical data to verify (or debunk) vuln hype is a massive time sink for orgs.

Example: https://infosec.exchange/@catc0n/113743148332527642