Vulnerability found in Bandizip (MOTW propagation)
Sjors van Gogh
Hello Bandizip,
Currently I’m doing a study for my thesis about MOTW behavior when using containerized files (archives, ISO, etc). During my research I found out about CVE-2025-0411, which is a MOTW vulnerability in 7-zip when double archiving a file. When double archiving a file the MOTW propagation fails to propagate on the inner files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user.
While checking this out, I tested it on Bandizip and I concluded that Bandizip has the same problem when double archiving a file.
As shown
in: '.zip in.zip.png' a .zip file which has another .zip in it. The parent .zip file has MOTW
as shown with the Security property in the properties window:
When extracting the file in the double archive MOTW isn’t properly propagated (shown in: file doesn't have MOTW.png)
I guess this is something you guys would want to fix, because as written here https://www.bandisoft.com/bandizip/help/zone-identifier/, .docx file should be propagated properly. My question for you is, do you have a procedure for giving credits to security researchers? If so, is it possible I could get credit for reporting this vulnerability and get my name on the possible CVE?
I hope this message finds you guys well. If you need any more information please let me know.
Kind regards,
Sjors van Gogh
seyo IM
Thank you for your recent vulnerability report. This issue has now been fixed and a new version including the fix will be released before long.
You will be credited on the update history of Bandizip (https://www.bandisoft.com/bandizip/history/ ) as follows:
Fixed a vulnerability that the app does not process the MoTW information when extracting files from an archive through a double click - Thanks to Sjors van Gogh
We do not register CVEs, so please contact MITRE and directly report the vulnerability.
Thank you very much for your report once again.
Sjors van Gogh
Just tested the new version (v.7.27) and it is indeed now fixed. Thanks for the quick reply!
I will register it myself directly to MITRE or some other registrar.