From: Mikael Magnusson <mikachu@gmail.com>
To: Oliver Kiddle <okiddle@yahoo.co.uk>
Cc: Zsh workers <zsh-workers@zsh.org>
Subject: Re: Zsh - Multiple DoS Vulnerabilities
Date: Wed, 15 May 2019 18:50:04 +0200 [thread overview]
Message-ID: <CAHYJk3RBTaGaVirTKFCMSNyKZU5ux55-bqZOo2ObcxadUpVXtQ@mail.gmail.com> (raw)
In-Reply-To: <21436-1557865831.121649@2P7I.HAU9.QsaG>
On 5/14/19, Oliver Kiddle <okiddle@yahoo.co.uk> wrote:
> On 10 May, Bart wrote:
>> On Fri, May 10, 2019 at 8:04 AM David Wells <bughunters@tenable.com>
>> wrote:
>> >
>> > #1 Invalid read from *taddrstr *call in *text.c*
>> > POC folder: *01_taddstr_(text.c_148)*
>>
>> and then (several seconds later) a crash.
>>
>> The following minimal subset of their test will put the shell into an
>> infinite loop, without (at least for as long as I was willing to wait)
>> crashing it:
>>
>> if true; then me > you || !
>> :
>> fi
>
> I'm finding this one will crash on Linux but hang on FreeBSD. And not
> crash with true as the condition. A variety of things can be used in the
> condition. while .. do .. done can be used in place of if .. then .. fi,
> && or ||. The me > you part can be cut down to :. Try the following:
>
> if [[ m -eq y ]]; then
> : && !
> :
> fi
>
> Where I had a crash, it was interpreting the wordcode in ecgetstr().
> Where it does r = s->strs + (c >> 2), c had an infeasibly large value
> causing it to index well beyond the range of s->strs. I'd be inclined to
> suspect the problem comes earlier when parsing this into wordcode.
>
> Issues #2, #3 and #5 are not separate issues but slight variations all
> leading to the typeset followed by braces bug. So thanks to Peter, I think
> those are all now fixed leaving this (#1) as the only one outstanding.
Might it be worth adding some type of check to the ecgetstr() code, so
we get a DPUTS instead of a crash if c>>2 is incredibly large? I'm not
sure atm how this would be determined, or what typical values are, but
I think two of these issues led to a crash here. We could also get
arbitrary bytecode from a modified .zwc file although of course in
that case you've already los tany security. Still would be nice to not
crash from misparsing it though.
--
Mikael Magnusson
next prev parent reply other threads:[~2019-05-15 16:51 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-10 15:03 David Wells
2019-05-10 16:37 ` Bart Schaefer
2019-05-12 16:21 ` Stephane Chazelas
2019-05-13 16:29 ` David Wells
2019-05-13 22:02 ` Bart Schaefer
2019-05-14 18:10 ` Stephane Chazelas
2019-05-14 21:24 ` Daniel Shahaf
2019-05-14 21:38 ` Bart Schaefer
2019-05-14 21:39 ` Daniel Shahaf
2019-05-14 22:25 ` Bart Schaefer
2019-05-15 10:48 ` Daniel Shahaf
2019-05-31 12:05 ` [PATCH] [doc] [repost] warnings about restricted shell (Was: Zsh - Multiple DoS Vulnerabilities) Stephane Chazelas
2019-06-03 9:35 ` Peter Stephenson
2019-06-04 2:39 ` dana
2019-06-04 7:34 ` dana
2019-05-10 20:27 ` Zsh - Multiple DoS Vulnerabilities Bart Schaefer
2019-05-11 1:45 ` #7 (typeset -Tp) (was Re: Zsh - Multiple DoS Vulnerabilities) Oliver Kiddle
2019-05-13 9:01 ` Peter Stephenson
2019-05-13 21:11 ` PATCH: #6 negative job id (Re: " Oliver Kiddle
2019-05-13 21:44 ` Zsh - Multiple DoS Vulnerabilities Oliver Kiddle
2019-05-13 22:36 ` #3 typeset and braces (Re: Zsh - Multiple DoS Vulnerabilities) Oliver Kiddle
2019-05-14 0:13 ` Mikael Magnusson
2019-05-14 5:38 ` Bart Schaefer
2019-05-14 10:50 ` Peter Stephenson
2019-05-14 16:38 ` Zsh - Multiple DoS Vulnerabilities Peter Stephenson
2019-05-14 20:30 ` Oliver Kiddle
2019-05-15 16:50 ` Mikael Magnusson [this message]
2019-05-16 20:37 ` Peter Stephenson
2019-05-17 13:41 ` Mikael Magnusson
2019-05-17 13:51 ` Mikael Magnusson
2019-05-17 14:28 ` Mikael Magnusson
2019-05-18 10:31 ` Oliver Kiddle
2019-05-21 14:43 ` Oliver Kiddle
[not found] ` <CGME20190521154256eucas1p1f0816d2467abd8bf4a0c31058af2983a@eucas1p1.samsung.com>
2019-05-21 15:42 ` Peter Stephenson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHYJk3RBTaGaVirTKFCMSNyKZU5ux55-bqZOo2ObcxadUpVXtQ@mail.gmail.com \
--to=mikachu@gmail.com \
--cc=okiddle@yahoo.co.uk \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).