From: Bart Schaefer <schaefer@brasslantern.com>
To: David Wells <bughunters@tenable.com>
Cc: "zsh-workers@zsh.org" <zsh-workers@zsh.org>
Subject: Re: Zsh - Multiple DoS Vulnerabilities
Date: Fri, 10 May 2019 13:27:39 -0700 [thread overview]
Message-ID: <CAH+w=7Y8d0h43rM_dHhbiT8nvL3-zxF8DUWTjn--hPX8sF7iaA@mail.gmail.com> (raw)
In-Reply-To: <CAAOKOsfSAR5aRBvEcyQKRzDCvOgRJdyRvVb9AXMq6d22RaUozQ@mail.gmail.com>
On Fri, May 10, 2019 at 8:04 AM David Wells <bughunters@tenable.com> wrote:
>
> #1 Invalid read from *taddrstr *call in *text.c*
> POC folder: *01_taddstr_(text.c_148)*
This has literal NUL bytes embedded in the body of an if/then. Run
from an interactive shell, it gives:
text.c:995: unknown word code in gettext2()
text.c:995: unknown word code in gettext2()
text.c:72: attempting to decrement tindent below zero
text.c:72: attempting to decrement tindent below zero
and then (several seconds later) a crash.
The following minimal subset of their test will put the shell into an
infinite loop, without (at least for as long as I was willing to wait)
crashing it:
if true; then me > you || !
:
fi
> #2 Invalid read from *execcmd_analyse *in *exec.c*
> POC folder: *02_execcmd_analyse_(exec.c_3653)*
The test case is 3kb of a mangled shell script (missing closing
quotes, random bytes inserted) so I'm not going to attempt to reduce
it to a minimal case. Feeding it to "zsh -nf" yields:
11: exec.c:2655: BUG: miscounted typeset assignments
11: exec.c:2655: BUG: miscounted typeset assignments
11: exec.c:2655: BUG: miscounted typeset assignments
11: exec.c:2655: BUG: miscounted typeset assignments
and then after several seconds a crash. I did not attempt feeding
this (or #3 - #5) through a shell that does not have the -n option,
because I don't have a secure sandbox in which to run scripts I can't
visually verify.
> #3 Invalid read from *dupstring *in *string.c*
> POC folder: *03_dupstring_(string.c_39)*
This gives exactly the same errors as #2, and then exits with
[long ugly filename]:87: parse error near `}'
> #4 Invalid read from *bin_print *in *builtin.c*
> POC folder: *04_bin_print_(builtin.c_5009)*
This produces no error output at all except for:
[long ugly filename]:41: parse error near `)'
> #5 Invalid read from *untokenize *in *exec.c*
> POC folder: *05_untokenize_(exec.c_1994)*
Again no error except:
[long ugly filename]:94: parse error near `}'
> #6 Invalid read from *getjob *in *jobs.c*
> POC folder: *06_getjob_(jobs.c_1935)*
This one I fed to "zsh -xf" and got (file name removed for readability):
+1> bg $'%\M-\C-?' $'\C-VI7'
bg:1: no job control in this shell.
+1> disown $'%777777777777777\M-^'
+1> $'\C-['
+1> $'\C-X\C-@\C-@\C-@@\C-@7'
1: command not found: ^[
1: command not found: ^X
followed eventually by a crash. The input has multiple NUL bytes
following the ^X, and then some other misc. garbage, so the input
processing may have a generic problem with NULs.
> #7 Invalid read from *hasher *in *hashtable.c*
> POC folder: *07_hasher_(hashtable.c_85)*
For this one "zsh -xf" says:
+1> foset :print $'\C-@\C-@\C-@hree'
1: command not found: foset
+1> set -E e
+2> typeset -priTt CeE e
and then just goes away until killed. Only that final typeset is
necessary to reproduce the bug, the rest is irrelevant.
next prev parent reply other threads:[~2019-05-10 20:28 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-10 15:03 David Wells
2019-05-10 16:37 ` Bart Schaefer
2019-05-12 16:21 ` Stephane Chazelas
2019-05-13 16:29 ` David Wells
2019-05-13 22:02 ` Bart Schaefer
2019-05-14 18:10 ` Stephane Chazelas
2019-05-14 21:24 ` Daniel Shahaf
2019-05-14 21:38 ` Bart Schaefer
2019-05-14 21:39 ` Daniel Shahaf
2019-05-14 22:25 ` Bart Schaefer
2019-05-15 10:48 ` Daniel Shahaf
2019-05-31 12:05 ` [PATCH] [doc] [repost] warnings about restricted shell (Was: Zsh - Multiple DoS Vulnerabilities) Stephane Chazelas
2019-06-03 9:35 ` Peter Stephenson
2019-06-04 2:39 ` dana
2019-06-04 7:34 ` dana
2019-05-10 20:27 ` Bart Schaefer [this message]
2019-05-11 1:45 ` #7 (typeset -Tp) (was " Oliver Kiddle
2019-05-13 9:01 ` Peter Stephenson
2019-05-13 21:11 ` PATCH: #6 negative job id (Re: " Oliver Kiddle
2019-05-13 21:44 ` Zsh - Multiple DoS Vulnerabilities Oliver Kiddle
2019-05-13 22:36 ` #3 typeset and braces (Re: Zsh - Multiple DoS Vulnerabilities) Oliver Kiddle
2019-05-14 0:13 ` Mikael Magnusson
2019-05-14 5:38 ` Bart Schaefer
2019-05-14 10:50 ` Peter Stephenson
2019-05-14 16:38 ` Zsh - Multiple DoS Vulnerabilities Peter Stephenson
2019-05-14 20:30 ` Oliver Kiddle
2019-05-15 16:50 ` Mikael Magnusson
2019-05-16 20:37 ` Peter Stephenson
2019-05-17 13:41 ` Mikael Magnusson
2019-05-17 13:51 ` Mikael Magnusson
2019-05-17 14:28 ` Mikael Magnusson
2019-05-18 10:31 ` Oliver Kiddle
2019-05-21 14:43 ` Oliver Kiddle
[not found] ` <CGME20190521154256eucas1p1f0816d2467abd8bf4a0c31058af2983a@eucas1p1.samsung.com>
2019-05-21 15:42 ` Peter Stephenson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAH+w=7Y8d0h43rM_dHhbiT8nvL3-zxF8DUWTjn--hPX8sF7iaA@mail.gmail.com' \
--to=schaefer@brasslantern.com \
--cc=bughunters@tenable.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).