From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 0b1dd32a for ; Tue, 14 May 2019 16:39:20 +0000 (UTC) Received: (qmail 18728 invoked by alias); 14 May 2019 16:39:04 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 44297 Received: (qmail 16272 invoked by uid 1010); 14 May 2019 16:39:03 -0000 X-Qmail-Scanner-Diagnostics: from mailout2.w1.samsung.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.101.2/25447. spamassassin: 3.4.2. Clear:RC:0(210.118.77.12):SA:0(-7.0/5.0):. Processed in 3.164118 secs); 14 May 2019 16:39:03 -0000 X-Envelope-From: p.stephenson@samsung.com X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at _spf.samsung.com designates 210.118.77.12 as permitted sender) DKIM-Filter: OpenDKIM Filter v2.11.0 mailout2.w1.samsung.com 20190514163824euoutp02cfc25d5a8b5e2d451d9001db26092d2d~emg3AV5ha0303403034euoutp02t DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samsung.com; s=mail20170921; t=1557851905; bh=d3JML8lHvq/zsHSeyDgvi3dNpR67VSwKmkVVKlzta3w=; h=Subject:From:To:Date:In-Reply-To:References:From; b=PJDT2lJH3MvyU40inMP6fwNdH582ZkQBJwxVYp/kjLdfb0YtTF7kfKmAZm9BSf6qL 47a25RfZVvujaoJkDCB3+gsE9xKhMIRhPU52Jdnub5dYufdyz/bdS0b7noS7c9ihro 0N2iA62mhCH7svUGa0VbaX6Fge4iYwjrS181dCnw= X-AuditID: cbfec7f5-b75ff700000010e5-5c-5cdaeeff9447 Message-ID: <1557851901.4353.46.camel@samsung.com> Subject: Re: Zsh - Multiple DoS Vulnerabilities From: Peter Stephenson To: Date: Tue, 14 May 2019 17:38:21 +0100 In-Reply-To: X-Mailer: Evolution 3.18.5.2-0ubuntu3.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrHIsWRmVeSWpSXmKPExsWy7djPc7oM72/FGCz7wWRxsPkhkwOjx6qD H5gCGKO4bFJSczLLUov07RK4Mt7e+8pWMJGnYsaE80wNjPc4uxg5OCQETCQOvqvrYuTiEBJY wSgx9dhXRginj0li+d9bLBBOL5NE3+FTQA4nWMf/3+egqpYzSpxdOZsVrmrCuktsEM4ZRomd N2+xQzgXGCVmnXvGBtLPK2AkcXHWD3YQW1hAX+LIolVgNpuAocTUTbMZQWwRAUmJa82nwWwW AVWJT21TmUFsToFAiYX35jBB3KEhseHmMSaImYISJ2c+AbuPWUBeonnrbGaQxRICj9kkln/e xQzR4CKx9PctVghbWOLV8S3sELaMxOnJPSwQDe2MEmsmvWaHcHoYJTYdvcMIUWUt0Xf7IiMo 0JgFNCXW79KHhJ+jxJ3DShAmn8SNt4IQN/BJTNo2nRkizCvR0SYEMUNNYkfTVkaIsIzE0zUK ExiVZiF5YBaSB2YhbFrAyLyKUTy1tDg3PbXYOC+1XK84Mbe4NC9dLzk/dxMjMBWc/nf86w7G fX+SDjEKcDAq8fBW7LwVI8SaWFZcmXuIUYKDWUmEN0rxRowQb0piZVVqUX58UWlOavEhRmkO FiVx3mqGB9FCAumJJanZqakFqUUwWSYOTqkGxn3RvHdmc1hZLjqgHBXccWmPoBF7/uSJS8QD 94Zs7a107ZmWKDvpakBm4OPdv6Kihab33J+hGjJdt13er1ql78ezuFkyU/wZTRmLjGfZeYkp HTCSnnJUTk1qftKc1CvvVY+sN3vIULqWKdVP8+CVeeEarjb/CtddS/T9nenpHj+143V+8zFp JZbijERDLeai4kQA1UsuYAEDAAA= X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpikeLIzCtJLcpLzFFi42I5/e/4Pd1/727FGLS+1LE42PyQyYHRY9XB D0wBjFF6NkX5pSWpChn5xSW2StGGFkZ6hpYWekYmlnqGxuaxVkamSvp2NimpOZllqUX6dgl6 GW/vfWUrmMhTMWPCeaYGxnucXYycHBICJhL/f59j7GLk4hASWMoo8WHiJ3aIhIzEpysfoWxh iT/XutggirqZJBa9boHqOMMosaCngwXCucAosWfmT1aQFl4BI4mLs36AtQsL6EscWbQKzGYT MJSYumk2I4gtIiApca35NJjNIqAq8altKjOIzSkQKLHw3hwmEFtI4C2jxPRdGiA2s4CmROv2 31AnaUhsuHmMCWKXoMTJmU9YIGrkJZq3zmaewCg0C0nLLCRls5CULWBkXsUoklpanJueW2yo V5yYW1yal66XnJ+7iREY/tuO/dy8g/HSxuBDjAIcjEo8vBU7b8UIsSaWFVfmHmKU4GBWEuGN UrwRI8SbklhZlVqUH19UmpNafIjRFOihicxSosn5wNjMK4k3NDU0t7A0NDc2NzazUBLn7RA4 GCMkkJ5YkpqdmlqQWgTTx8TBKdXAOM1Qtb2M88WWEMudhZY9L+ymbPtXLiey5FLhD5erPh/e H7ojXfxStnJf6d6F0VdbW8v2sz8oPxMrZJaU8Odt8Pxgr/XGe17/5BX/9qE3wen86qlrFtk8 bjRNMvo3x/ty2GTb1COJ07ZsEZlj/evw9pyb7Ozx8rY6r0y3W2zV42mw2DChZ7/iKyWW4oxE Qy3mouJEAAiggROVAgAA X-CMS-MailID: 20190514163823eucas1p1f99ae71d6545686aee9adf5145d04167 X-Msg-Generator: CA Content-Type: text/plain; charset="utf-8" X-RootMTR: 20190510202858epcas2p1fe84dfb674849201cf6088480c89f29e X-EPHeader: CA CMS-TYPE: 201P X-CMS-RootMailID: 20190510202858epcas2p1fe84dfb674849201cf6088480c89f29e References: On Fri, 2019-05-10 at 13:27 -0700, Bart Schaefer wrote: > On Fri, May 10, 2019 at 8:04 AM David Wells wrote: > >  > >  > >     #1 Invalid read from *taddrstr *call in *text.c* > >     POC folder: *01_taddstr_(text.c_148)* > This has literal NUL bytes embedded in the body of an if/then.  Run > from an interactive shell, it gives: >  >  text.c:995: unknown word code in gettext2() >  text.c:995: unknown word code in gettext2() >  text.c:72: attempting to decrement tindent below zero >  text.c:72: attempting to decrement tindent below zero >  > and then (several seconds later) a crash. >  > The following minimal subset of their test will put the shell into an > infinite loop, without (at least for as long as I was willing to wait) > crashing it: >  > if true; then me > you || ! > : > fi So the best guess at the moment is the embedded NUL bytes are being misinterpreted by whatever causes the text to be handled wrongly, so they are only tangentially relevant? That would fit with what I'm seeing, which is the infinite loop is in gettext2(), before anything is executed.  This function tries to decode wordcode set up by the parser, which is hard to debug because of the strong correlation between the two completely separate bits of code (and its own internal structure is a bit head-scratching, too).  Might be interesting to perturb it until it just doesn't fail any more... The parsing phase seemed to finish normally, as far as I could see. pws