From: David Wells <bughunters@tenable.com>
To: zsh-workers@zsh.org
Subject: Zsh - Multiple DoS Vulnerabilities
Date: Fri, 10 May 2019 08:03:14 -0700 [thread overview]
Message-ID: <CAAOKOsfSAR5aRBvEcyQKRzDCvOgRJdyRvVb9AXMq6d22RaUozQ@mail.gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2117 bytes --]
Hello Zsh-Workers,
Tenable has discovered multiple DoS vulnerabilities in Zsh. The root cause
appears to be Invalid Memory Access issues that crash the Zsh runtime. We
believe these have the following Cvss v2 vector: AV:L/AC:L/Au:S/C:N/I:N/A:C
and verified this is present when installed on Arch Linux 5.0.7 x64. We've
internally assigned this vulnerability TRA-221.
Here is a link where you'll find a proof of concept (PoC) called
*zsh_poc.tar.bz2: *
https://tenable.box.com/s/mi7vlmqgq5zpqhadlr90u2hit2r1hjwe.
The PoC contains the 7 different invalid memory access issues in their
respective directory. Each directory will contain a gdb stack trace as well
as the Zsh script which can trigger the bug.
#1 Invalid read from *taddrstr *call in *text.c*
POC folder: *01_taddstr_(text.c_148)*
#2 Invalid read from *execcmd_analyse *in *exec.c*
POC folder: *02_execcmd_analyse_(exec.c_3653)*
#3 Invalid read from *dupstring *in *string.c*
POC folder: *03_dupstring_(string.c_39)*
#4 Invalid read from *bin_print *in *builtin.c*
POC folder: *04_bin_print_(builtin.c_5009)*
#5 Invalid read from *untokenize *in *exec.c*
POC folder: *05_untokenize_(exec.c_1994)*
#6 Invalid read from *getjob *in *jobs.c*
POC folder: *06_getjob_(jobs.c_1935)*
#7 Invalid read from *hasher *in *hashtable.c*
POC folder: *07_hasher_(hashtable.c_85)*
Tenable follows a 90-day vulnerability disclosure policy. That means, even
though we prefer coordinated disclosure, we'll issue an advisory on *August
8, 2019 *with or without a patch. Alternatively, any uncoordinated patch
publicly released before the 90-day deadline will be considered public
disclosure, and Tenable may release an early advisory. You can read the
full details of our policy here:
https://static.tenable.com/research/tenable-vulnerability-disclosure-policy.pdf
Thank you for taking the time to read this. We'd greatly appreciate it if
you'd acknowledge receipt of this report. If you have any questions we'd be
happy to address them.
Thanks again,
David
next reply other threads:[~2019-05-10 15:04 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-10 15:03 David Wells [this message]
2019-05-10 16:37 ` Bart Schaefer
2019-05-12 16:21 ` Stephane Chazelas
2019-05-13 16:29 ` David Wells
2019-05-13 22:02 ` Bart Schaefer
2019-05-14 18:10 ` Stephane Chazelas
2019-05-14 21:24 ` Daniel Shahaf
2019-05-14 21:38 ` Bart Schaefer
2019-05-14 21:39 ` Daniel Shahaf
2019-05-14 22:25 ` Bart Schaefer
2019-05-15 10:48 ` Daniel Shahaf
2019-05-31 12:05 ` [PATCH] [doc] [repost] warnings about restricted shell (Was: Zsh - Multiple DoS Vulnerabilities) Stephane Chazelas
2019-06-03 9:35 ` Peter Stephenson
2019-06-04 2:39 ` dana
2019-06-04 7:34 ` dana
2019-05-10 20:27 ` Zsh - Multiple DoS Vulnerabilities Bart Schaefer
2019-05-11 1:45 ` #7 (typeset -Tp) (was Re: Zsh - Multiple DoS Vulnerabilities) Oliver Kiddle
2019-05-13 9:01 ` Peter Stephenson
2019-05-13 21:11 ` PATCH: #6 negative job id (Re: " Oliver Kiddle
2019-05-13 21:44 ` Zsh - Multiple DoS Vulnerabilities Oliver Kiddle
2019-05-13 22:36 ` #3 typeset and braces (Re: Zsh - Multiple DoS Vulnerabilities) Oliver Kiddle
2019-05-14 0:13 ` Mikael Magnusson
2019-05-14 5:38 ` Bart Schaefer
2019-05-14 10:50 ` Peter Stephenson
2019-05-14 16:38 ` Zsh - Multiple DoS Vulnerabilities Peter Stephenson
2019-05-14 20:30 ` Oliver Kiddle
2019-05-15 16:50 ` Mikael Magnusson
2019-05-16 20:37 ` Peter Stephenson
2019-05-17 13:41 ` Mikael Magnusson
2019-05-17 13:51 ` Mikael Magnusson
2019-05-17 14:28 ` Mikael Magnusson
2019-05-18 10:31 ` Oliver Kiddle
2019-05-21 14:43 ` Oliver Kiddle
[not found] ` <CGME20190521154256eucas1p1f0816d2467abd8bf4a0c31058af2983a@eucas1p1.samsung.com>
2019-05-21 15:42 ` Peter Stephenson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAAOKOsfSAR5aRBvEcyQKRzDCvOgRJdyRvVb9AXMq6d22RaUozQ@mail.gmail.com \
--to=bughunters@tenable.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).