From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 99ffc1e5 for ; Fri, 10 May 2019 20:28:45 +0000 (UTC) Received: (qmail 4582 invoked by alias); 10 May 2019 20:28:30 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 44283 Received: (qmail 22697 invoked by uid 1010); 10 May 2019 20:28:30 -0000 X-Qmail-Scanner-Diagnostics: from mail-lj1-f180.google.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.101.2/25440. spamassassin: 3.4.2. Clear:RC:0(209.85.208.180):SA:0(-1.9/5.0):. Processed in 3.411634 secs); 10 May 2019 20:28:30 -0000 X-Envelope-From: schaefer@brasslantern.com X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.208.180 as permitted sender) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brasslantern-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=732Afl1TCzQHn4r3ZCKpVhHMU61tq4e+ZnJIIf/bYiQ=; b=IWd/irh6OmHKIAxyHevKQhHaacxytvH+k3I1hIqmbIkJttVMhBTCMaskfDeHdgQE8Q clkxg7IqigvN5Iz02e8KUrQIZPdvjFKeLrq1nuFOkqIN64l25Ut2ZjTQes+pxOBwuwwe YD9SMHLaL3CxnLoVm/0/Ub/kOBnQLdmpAa1a+dDYUppGQw3BhGwiBV3TTkipb3ErXbtp mS1RKLx+9CyLTLjN2Wf2B7HxZFNreG+hPf21rxUu8bCT1pJTIygnBnNkUeKDN3vNYul5 ymgKk82ZUh6KUg5g9TdOPPQGxM+T9oYut1WRnLDXAGqPTe+4Qj6GOLnCxCNjt8wzCD1K ZKxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=732Afl1TCzQHn4r3ZCKpVhHMU61tq4e+ZnJIIf/bYiQ=; b=P994tsxr7wFqYvSMG3igUbXfypG5hFBZuyD0UocQ9sOHUk6N4Cgb7CHyFeSKzp30AL ykeeehfj/7h2FDtH81QcF6TvjHmggq2rOnUh/LeOsia8HK0hD7rR0uN0TVAJbOgAH0X6 n8CM0arAl8+C5HuUEcIDyb+ZpfMMeFewvzyXaBS8mYJrct/3z8SkYMu2CmPIxSwNwKQg 1EBBsy9ab6sNQwmAdsTL8JCDfuMI3qXWjRvu9d/Oe1zPwh040zCda8SYa5s5yfzfBIX8 ZWh4IEa/aeQD6/nlHiS9SSG+J06sAKaP0huxMfAn3B/qhS6WsCZbHfELm8vQc4+RSY50 UnQA== X-Gm-Message-State: APjAAAUoh2z2RnUayQfJcHgrnrnL0QfXZv//1wLRsWkN9q8G/ATk2e7N Cpz+esBieFfaBCk0vEeHZHjENNfWnLBU/ChkX9i5xEYdf5pOBw== X-Google-Smtp-Source: APXvYqxRmXe2fjC8/sJbdwLk5XIIz3T7E8jz5VFrNdg4j+UatXCUzKbb8FsOBcLCSDh/XIUbJJJuDkkmPzlF2dnPmcE= X-Received: by 2002:a2e:4a1a:: with SMTP id x26mr6248138lja.49.1557520071909; Fri, 10 May 2019 13:27:51 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Bart Schaefer Date: Fri, 10 May 2019 13:27:39 -0700 Message-ID: Subject: Re: Zsh - Multiple DoS Vulnerabilities To: David Wells Cc: "zsh-workers@zsh.org" Content-Type: text/plain; charset="UTF-8" On Fri, May 10, 2019 at 8:04 AM David Wells wrote: > > #1 Invalid read from *taddrstr *call in *text.c* > POC folder: *01_taddstr_(text.c_148)* This has literal NUL bytes embedded in the body of an if/then. Run from an interactive shell, it gives: text.c:995: unknown word code in gettext2() text.c:995: unknown word code in gettext2() text.c:72: attempting to decrement tindent below zero text.c:72: attempting to decrement tindent below zero and then (several seconds later) a crash. The following minimal subset of their test will put the shell into an infinite loop, without (at least for as long as I was willing to wait) crashing it: if true; then me > you || ! : fi > #2 Invalid read from *execcmd_analyse *in *exec.c* > POC folder: *02_execcmd_analyse_(exec.c_3653)* The test case is 3kb of a mangled shell script (missing closing quotes, random bytes inserted) so I'm not going to attempt to reduce it to a minimal case. Feeding it to "zsh -nf" yields: 11: exec.c:2655: BUG: miscounted typeset assignments 11: exec.c:2655: BUG: miscounted typeset assignments 11: exec.c:2655: BUG: miscounted typeset assignments 11: exec.c:2655: BUG: miscounted typeset assignments and then after several seconds a crash. I did not attempt feeding this (or #3 - #5) through a shell that does not have the -n option, because I don't have a secure sandbox in which to run scripts I can't visually verify. > #3 Invalid read from *dupstring *in *string.c* > POC folder: *03_dupstring_(string.c_39)* This gives exactly the same errors as #2, and then exits with [long ugly filename]:87: parse error near `}' > #4 Invalid read from *bin_print *in *builtin.c* > POC folder: *04_bin_print_(builtin.c_5009)* This produces no error output at all except for: [long ugly filename]:41: parse error near `)' > #5 Invalid read from *untokenize *in *exec.c* > POC folder: *05_untokenize_(exec.c_1994)* Again no error except: [long ugly filename]:94: parse error near `}' > #6 Invalid read from *getjob *in *jobs.c* > POC folder: *06_getjob_(jobs.c_1935)* This one I fed to "zsh -xf" and got (file name removed for readability): +1> bg $'%\M-\C-?' $'\C-VI7' bg:1: no job control in this shell. +1> disown $'%777777777777777\M-^' +1> $'\C-[' +1> $'\C-X\C-@\C-@\C-@@\C-@7' 1: command not found: ^[ 1: command not found: ^X followed eventually by a crash. The input has multiple NUL bytes following the ^X, and then some other misc. garbage, so the input processing may have a generic problem with NULs. > #7 Invalid read from *hasher *in *hashtable.c* > POC folder: *07_hasher_(hashtable.c_85)* For this one "zsh -xf" says: +1> foset :print $'\C-@\C-@\C-@hree' 1: command not found: foset +1> set -E e +2> typeset -priTt CeE e and then just goes away until killed. Only that final typeset is necessary to reproduce the bug, the rest is irrelevant.