From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 0921c85e for ; Tue, 14 May 2019 18:11:20 +0000 (UTC) Received: (qmail 3108 invoked by alias); 14 May 2019 18:11:06 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 44298 Received: (qmail 27544 invoked by uid 1010); 14 May 2019 18:11:06 -0000 X-Qmail-Scanner-Diagnostics: from mail-wm1-f42.google.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.101.2/25447. spamassassin: 3.4.2. Clear:RC:0(209.85.128.42):SA:0(-2.0/5.0):. Processed in 1.844569 secs); 14 May 2019 18:11:06 -0000 X-Envelope-From: stephane.chazelas@gmail.com X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.128.42 as permitted sender) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=SyhHijjuVYDArycqkL42sJnqh6oYEdI5couhS64h6Jo=; b=sK5BXsO3QBYN1PKBCE+Abl6tgblGeXEABVRV3csUs90EO4aSbmFEpscx0++Ev7yeBb vYTmeLQ74N+FTq5IOWRx3G+wAwHeTnZZ7xyE1rF3b+Gi6ma4WYzjpM06MsO/odvihOxz TWiEqi+rtMwoIo2SMhGEqbbKf8aZG57upnK5KqD45lLpNJgVBplzHM7LT40uWroRc9U/ Qvin0yFQf0enIC5XBC5frQuBwpKwP7AhLNYPoZQhXall7KZcEQWuIXdpQv/Zvs8Ho5Lt lscuwFG+X3f+a/ZQIShR8GgE7drF9uVLFs/tmcaHBwTqdwXWfFgi4h0c6a9Je6x+LWiT Twpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to:user-agent; bh=SyhHijjuVYDArycqkL42sJnqh6oYEdI5couhS64h6Jo=; b=WFS0OQMM9jKoYVWh4avlnCWrpVoqfCUqdEJHOnHlEWl+MzmJErwPcfDeB9jDzy8AK2 kc4PL0t/3a4KKzQBaJrSvdoYkPEr5LvdGhQ3iufZZsGdemyJ+wrU8jdA0qUZ/uam/1ON Q9DprRZjn4XTnXudGBpGBw2AHY2M6B7GrGkoDrhqVWMoSzLyJafviElTEOHesGHmalNy EtJjVF+1kmv6pfBJZh9F78VQxdmT5EB/lBh1I0svt1h0V8hYOl9vCP2MG30SB7v5D6FD s1OBe2Kmy5z7WI6wrMWDtM+AcAC82nm1NNgvHRndBz8fZU0znwwybQOONMh/11I85W0+ 6vDw== X-Gm-Message-State: APjAAAXxjVnem1J4DZmqZO2iZ3qkiajoB3p3WOi3LkJMZgSHmEAX25KV q/8+2zZ2mQtWJBuBIJ0wm1P4oHDC X-Google-Smtp-Source: APXvYqw3Oq0kUSOyoVZDdDWvMrSXP4/gKXxffF1BcopVfB/Vhg7VyExG6RzDGqbx74gzdA/oUhc52w== X-Received: by 2002:a1c:b189:: with SMTP id a131mr20077394wmf.107.1557857428861; Tue, 14 May 2019 11:10:28 -0700 (PDT) Date: Tue, 14 May 2019 19:10:26 +0100 From: Stephane Chazelas To: David Wells Cc: Bart Schaefer , "zsh-workers@zsh.org" Subject: Re: Zsh - Multiple DoS Vulnerabilities Message-ID: <20190514181026.u4myftmekdtqkhme@chaz.gmail.com> Mail-Followup-To: David Wells , Bart Schaefer , "zsh-workers@zsh.org" References: <20190512162149.3fsqupqftmwxrbvd@chaz.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20171215 2019-05-13 09:29:36 -0700, David Wells: > Thanks for taking a look at these bugs. As Stephanie mentioned, security > related risk may depend more on Zsh usage, and being that these crashes are > Invalid Memory Access issues, they might allow an attacker to disclose > parts of memory to help with a pre-exploitation process. [...] Thanks David, I think it's fair to say you've flagged those as DoS vulnerabilities solely on the ground they were "invalid memory access issues" irrespective of how exploitable they are. I'd say those reports are useful as bug reports as they point to areas where zsh isn't doing the right thing, and I'm sure zsh developers are grateful for it. However I think it does a disservice (to the sysadmin and security community (your customers as I understand your company creates vulnerability scanning software), not so much to zsh developers) to call them DoS vulnerabilities as they are not. It's a shell's (or any interpreter's for that matters) expected behaviour to fail when provided with unexpected input, so, that the shell crashes upon invalid input is not really a problem. A shell will exit when given "exit" or "<()>" as input, that doesn't mean it's a DoS. Also, it's a shells job to execute arbitrary command. A :(){ :|:&};: input (the infamous fork bomb) will cripple a system, but that's as intended by whoever wrote that code. >From what I can see, those reported issues would only be vulnerabilities if they were a way to escape the "restricted mode" of zsh, a "security" feature inherited from the Bourne shell which hopefully nobody uses these days, but not as DoS vulnerabilities. I think you should change the vectors. IMO, from a security standpoint, it's not very useful to fuzz "code" input provided to zsh, as anyway any "code" allows zsh to run any arbitrary command (except for the restricted mode). In other words, the "code" is generally not the attacker supplied data. You could fuzz environment variables (the ones zsh cares about) or other attacker-controlled data fed to zsh scripts like "limits" instead. -- Stephane