From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-44305-ml=inbox.vuxu.org@zsh.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE
	autolearn=ham autolearn_force=no version=3.4.2
Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2])
	by inbox.vuxu.org (OpenSMTPD) with ESMTP id e2cc852a
	for <ml@inbox.vuxu.org>;
	Wed, 15 May 2019 16:51:01 +0000 (UTC)
Received: (qmail 18985 invoked by alias); 15 May 2019 16:50:43 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
List-Unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
X-Seq: 44305
Received: (qmail 25728 invoked by uid 1010); 15 May 2019 16:50:43 -0000
X-Qmail-Scanner-Diagnostics: from mail-it1-f178.google.com by f.primenet.com.au (envelope-from <mikachu@gmail.com>, uid 7791) with qmail-scanner-2.11 
 (clamdscan: 0.101.2/25447. spamassassin: 3.4.2.  
 Clear:RC:0(209.85.166.178):SA:0(-2.0/5.0):. 
 Processed in 3.714581 secs); 15 May 2019 16:50:43 -0000
X-Envelope-From: mikachu@gmail.com
X-Qmail-Scanner-Mime-Attachments: |
X-Qmail-Scanner-Zip-Files: |
Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.166.178 as permitted sender)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=oESEysC8RAfhVJp8QxkaMokVQdVmcOpBDLlgvreDjIY=;
        b=aMSaBlE+BSJf4D9dbpwBGHHbaX7HaXMStC9JNe3f9cYnqqx0nh7raqxjkY4ofV6E3/
         ylAjR6jV8qcFBOoA9zEJyC1gcHwsYaHchPyHk8z3YS0qcHWlI6QypeLP/D84ivtVQITj
         vl7wrHBIieY2sUdpHb2NQVDy/z5f6DGtxLgPXWK+2rZeq+kCvnwvQVcqkutJflLIYZYR
         EZhCOTQ7WZQ+7UVzyhL/8WKfRxa8pKmE4OluNHDilBjQ9PAU40UlqQEYLOBtY1P+yLii
         svHekzzYpCJIDaE1BI1uOS17YQ7cDdIX+Z6PAuOFWdJPG/HIt2eBcsTmulhsAdy9jk6T
         h6ZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=oESEysC8RAfhVJp8QxkaMokVQdVmcOpBDLlgvreDjIY=;
        b=ObthA8qpSsEXS44NUvgFAzvxYXbBcDsuWIdjvJ5+1wCAdKSkif+RB5Bw+dwIQGYJjP
         2WgkPUT8Qfea6rXhPR7ZdismOveMJclSKtZXFx8X0AqdYXQmPwyScPHWStvCIVHS+gxJ
         370DYPSXsfZMMA370LVHL6M57+6RB5YdrxCqqF7kXBHqtUHgcIUbdw6NYVW2WJan6B0O
         8ppFasc3/qNwtsxAX21wiY9vJ/UROr8SjsGsbexCAXIyUFK2xvwd5NrjRCusbNw3rl3J
         YrX3Eq0JHBV5h//NFwSGC1dfLbvG1sdx/1rT3kQx45hoGL4VIoUsKU3fzwEF1fY/oaea
         3z1Q==
X-Gm-Message-State: APjAAAUF9KnMtqJ3y8IVSxC25Ohh3uNngJaPmSaqLAVd+ktVEsSY5rYp
	uraFr0ZLler+rlhn1/HpKm274KVoZNKThReW2xI=
X-Google-Smtp-Source: APXvYqxtuwSnGPLp92yBAkefPSKLs3iFcNI9IL81Qw7zH02niNz0FU2KTYgdSN8PjEiwhtHVUZaoY7ZMxQubfL33xYY=
X-Received: by 2002:a05:660c:444:: with SMTP id d4mr9632745itl.158.1557939005762;
 Wed, 15 May 2019 09:50:05 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <21436-1557865831.121649@2P7I.HAU9.QsaG>
References: <CAAOKOsfSAR5aRBvEcyQKRzDCvOgRJdyRvVb9AXMq6d22RaUozQ@mail.gmail.com>
 <CAH+w=7Y8d0h43rM_dHhbiT8nvL3-zxF8DUWTjn--hPX8sF7iaA@mail.gmail.com> <21436-1557865831.121649@2P7I.HAU9.QsaG>
From: Mikael Magnusson <mikachu@gmail.com>
Date: Wed, 15 May 2019 18:50:04 +0200
Message-ID: <CAHYJk3RBTaGaVirTKFCMSNyKZU5ux55-bqZOo2ObcxadUpVXtQ@mail.gmail.com>
Subject: Re: Zsh - Multiple DoS Vulnerabilities
To: Oliver Kiddle <okiddle@yahoo.co.uk>
Cc: Zsh workers <zsh-workers@zsh.org>
Content-Type: text/plain; charset="UTF-8"

On 5/14/19, Oliver Kiddle <okiddle@yahoo.co.uk> wrote:
> On 10 May, Bart wrote:
>> On Fri, May 10, 2019 at 8:04 AM David Wells <bughunters@tenable.com>
>> wrote:
>> >
>> >     #1 Invalid read from *taddrstr *call in *text.c*
>> >     POC folder: *01_taddstr_(text.c_148)*
>>
>> and then (several seconds later) a crash.
>>
>> The following minimal subset of their test will put the shell into an
>> infinite loop, without (at least for as long as I was willing to wait)
>> crashing it:
>>
>> if true; then me > you || !
>> :
>> fi
>
> I'm finding this one will crash on Linux but hang on FreeBSD. And not
> crash with true as the condition. A variety of things can be used in the
> condition. while .. do .. done can be used in place of if .. then .. fi,
> && or ||. The me > you part can be cut down to :. Try the following:
>
>   if [[ m -eq y ]]; then
>     : && !
>     :
>   fi
>
> Where I had a crash, it was interpreting the wordcode in ecgetstr().
> Where it does r = s->strs + (c >> 2), c had an infeasibly large value
> causing it to index well beyond the range of s->strs. I'd be inclined to
> suspect the problem comes earlier when parsing this into wordcode.
>
> Issues #2, #3 and #5 are not separate issues but slight variations all
> leading to the typeset followed by braces bug. So thanks to Peter, I think
> those are all now fixed leaving this (#1) as the only one outstanding.

Might it be worth adding some type of check to the ecgetstr() code, so
we get a DPUTS instead of a crash if c>>2 is incredibly large? I'm not
sure atm how this would be determined, or what typical values are, but
I think two of these issues led to a crash here. We could also get
arbitrary bytecode from a modified .zwc file although of course in
that case you've already los tany security. Still would be nice to not
crash from misparsing it though.

-- 
Mikael Magnusson