From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 16314 invoked by alias); 26 Sep 2014 14:09:35 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 33253 Received: (qmail 20069 invoked from network); 26 Sep 2014 14:09:33 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s1024; t=1411740195; bh=tU0hHk+wW+rd2TaY/Q6LG7BQa7j11yZIYnnWZZJA9WM=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:In-reply-to:From:References:To:Subject:MIME-Version:Date:Message-ID; b=OD3TCIGDriQRVJTCXECW+cXP+VrF24gHyPo5GtKoZEcT6ungLp63DREE34rLya5ghrGYWFh/0RLTMl79gKnGTU86kH9814lPHYei37HDqgqaCSg2O9Dy63ctMgymOiIOwGsZDQ5A+QEcDtNfMiLL5+okmobIU/a57vwujtZTQKY= X-Yahoo-Newman-Id: 72014.4316.bm@smtp137.mail.ir2.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: AymwK10VM1lLNvwLkTt62Bo8V88jRDi_cwFWrzvy1z1X_jm ola3MnZulWmO1xAsz1nM2yTnSXIWmptyS4bb0Cgb5HbOBIRVTTEinCuq6tA0 2mFHpMPUxce_pEVz0YGc_aNS4q8w1XAzOb26yn_bTpVWKP9A6pDn6Dj8C35G NVhyp4qukdRoUI0oE0nWs9wfGFiVU4dfzl7NsVe8CzeZL2rnDbOSfOOOp6gr Co3x6Z2gxcjQuYwvl8PDVx7zrAfzfBI4Q6JVwBhCXpAmMAy3iVQctDFRQMxM _vRp8FKcQ67bMGxIRTdHN1RJ14bxh0zt2hFRlQ9cwj2u60I5cXue5EGAfSgJ 0nhsDI.csaoGMcCUnl.r0t0vzzc_RuMIPQcpqWJJzKMZJ8Q1ufG9PKO1ALvK kvRsd8g3r.gwB.wbs9qsaYDBxff1zIRYYaZRpL6GYlUmCPHCh4vmyC62vXp2 o82CfhmJQHTVvPlBw43c0vzlB2b3tZlj0UENkG5P9z32eSBFqzTc2KvwX7d_ bmB2tsrEnzi0Cxqk9BkP8hH8aGNg- X-Yahoo-SMTP: opAkk_CswBAce_kJ3nIPlH80cJI- In-reply-to: <20140925141133.49a7127b@pwslap01u.europe.root.pri> From: Oliver Kiddle References: <20140925141133.49a7127b@pwslap01u.europe.root.pri> To: Zsh Hackers' List Subject: Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash MIME-Version: 1.0 Date: Fri, 26 Sep 2014 16:03:14 +0200 Message-ID: <22772.1411740194@thecus.kiddle.eu> Peter Stephenson wrote: > There's nothing in zsh that corresponds to this particular problem; I > can't think of an easy way to get the environment to leak into code in > zsh without the code doing it deliberately but feel free to have a > think --- some of the special variable handling is quite complicated. I've had a bit of a dig and can't find anything. Certainly not with arbitrary variable names (i.e. attacker only needs control of the value). That's what makes the bash bug serious. Still, it might be wise to review the specials: reduce the attack surface just in case a variable name happens to clash with something that an attacker can filter through. For specials of numeric type we appear to be doing math evaluation on their values. OPTIND='3+4' zsh -c 'echo $OPTIND' And if you think you can't do anything with math evaluation: x='`date >&2`' OPTIND='pipestatus[1${(e)x}]' zsh -c ':' Other shells don't even import OPTIND. Would it perhaps make sense to revert the sense of PM_DONTIMPORT and have a PM_IMPORT flag so any new special is not imported unless whoever implements it actually gives it some thought. PS1 etc have been imported since forever but what about POSTEDIT, is that necessary? Also, this behaviour hardly seems useful: % status=45 zsh -cf 'echo hi' zsh: read-only variable: status The various specials in the parameters can't be affected: % env functions='one two' zsh -cf ':' zsh: Can't add module parameter `functions': parameter already exists Also, worth checking is unusual characters or invalid UTF-8 sequences in the environment variable name. There's more processing here. Square brackets in particular get some special treatment but don't seem to be a problem: For zsh the variable is missing (but passed on to child processes). env 'ARR[1]'=hello zsh -cf 'typeset -p|grep A\RR' Interestingly, bash gets a variable with square brackets in the name: env 'ARR[3]'=hello bash -cf 'typeset -p|grep A\RR' declare -x ARR[3] It ought to do proper quoting in typeset -p output though. Ksh creates an array (and does a math evaluation). env 'ARR[21+47]'=hello ksh -cf 'typeset -p ARR' typeset -x -a ARR=([68]=hello) Oliver