From: Oliver Kiddle <okiddle@yahoo.co.uk>
To: Zsh Hackers' List <zsh-workers@zsh.org>
Subject: Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash
Date: Fri, 26 Sep 2014 16:03:14 +0200 [thread overview]
Message-ID: <22772.1411740194@thecus.kiddle.eu> (raw)
In-Reply-To: <20140925141133.49a7127b@pwslap01u.europe.root.pri>
Peter Stephenson wrote:
> There's nothing in zsh that corresponds to this particular problem; I
> can't think of an easy way to get the environment to leak into code in
> zsh without the code doing it deliberately but feel free to have a
> think --- some of the special variable handling is quite complicated.
I've had a bit of a dig and can't find anything. Certainly not with
arbitrary variable names (i.e. attacker only needs control of the
value). That's what makes the bash bug serious.
Still, it might be wise to review the specials: reduce the attack
surface just in case a variable name happens to clash with something
that an attacker can filter through.
For specials of numeric type we appear to be doing math evaluation on
their values.
OPTIND='3+4' zsh -c 'echo $OPTIND'
And if you think you can't do anything with math evaluation:
x='`date >&2`' OPTIND='pipestatus[1${(e)x}]' zsh -c ':'
Other shells don't even import OPTIND. Would it perhaps make sense to
revert the sense of PM_DONTIMPORT and have a PM_IMPORT flag so any new
special is not imported unless whoever implements it actually gives it
some thought. PS1 etc have been imported since forever but what about
POSTEDIT, is that necessary? Also, this behaviour hardly seems useful:
% status=45 zsh -cf 'echo hi'
zsh: read-only variable: status
The various specials in the parameters can't be affected:
% env functions='one two' zsh -cf ':'
zsh: Can't add module parameter `functions': parameter already exists
Also, worth checking is unusual characters or invalid UTF-8 sequences
in the environment variable name. There's more processing here. Square
brackets in particular get some special treatment but don't seem to be a
problem:
For zsh the variable is missing (but passed on to child processes).
env 'ARR[1]'=hello zsh -cf 'typeset -p|grep A\RR'
Interestingly, bash gets a variable with square brackets in the name:
env 'ARR[3]'=hello bash -cf 'typeset -p|grep A\RR'
declare -x ARR[3]
It ought to do proper quoting in typeset -p output though.
Ksh creates an array (and does a math evaluation).
env 'ARR[21+47]'=hello ksh -cf 'typeset -p ARR'
typeset -x -a ARR=([68]=hello)
Oliver
next prev parent reply other threads:[~2014-09-26 14:09 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-24 14:45 İsmail Dönmez
2014-09-24 14:54 ` Frank Terbeck
2014-09-24 14:55 ` İsmail Dönmez
2014-09-24 15:01 ` Peter Stephenson
2014-09-24 15:08 ` Frank Terbeck
2014-09-24 15:13 ` Jérémie Roquet
2014-09-24 14:55 ` Jérémie Roquet
2014-09-24 14:59 ` Chet Ramey
2014-09-25 13:11 ` Peter Stephenson
2014-09-26 14:03 ` Oliver Kiddle [this message]
2014-09-26 20:08 ` Peter Stephenson
2014-09-29 10:04 ` PATCH: safe numeric import Peter Stephenson
2014-09-29 15:24 ` Bart Schaefer
2014-10-01 14:57 ` [Bulk] " Oliver Kiddle
2014-10-02 16:06 ` Peter Stephenson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=22772.1411740194@thecus.kiddle.eu \
--to=okiddle@yahoo.co.uk \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).