Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash

X-seq: zsh-workers 33253
From: Oliver Kiddle <okiddle@xxxxxxxxxxx>
To: Zsh Hackers' List <zsh-workers@xxxxxxx>
Subject: Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash
Date: Fri, 26 Sep 2014 16:03:14 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s1024; t=1411740195; bh=tU0hHk+wW+rd2TaY/Q6LG7BQa7j11yZIYnnWZZJA9WM=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:In-reply-to:From:References:To:Subject:MIME-Version:Date:Message-ID; b=OD3TCIGDriQRVJTCXECW+cXP+VrF24gHyPo5GtKoZEcT6ungLp63DREE34rLya5ghrGYWFh/0RLTMl79gKnGTU86kH9814lPHYei37HDqgqaCSg2O9Dy63ctMgymOiIOwGsZDQ5A+QEcDtNfMiLL5+okmobIU/a57vwujtZTQKY=
In-reply-to: <20140925141133.49a7127b@pwslap01u.europe.root.pri>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <CAJ1KOAjyBjbywavXwa+ejjQD1YjK8eCSGaESYhJxCb1e3KPjFg@mail.gmail.com> <20140925141133.49a7127b@pwslap01u.europe.root.pri>

Peter Stephenson wrote:
> There's nothing in zsh that corresponds to this particular problem; I
> can't think of an easy way to get the environment to leak into code in
> zsh without the code doing it deliberately but feel free to have a
> think --- some of the special variable handling is quite complicated.

I've had a bit of a dig and can't find anything. Certainly not with
arbitrary variable names (i.e. attacker only needs control of the
value). That's what makes the bash bug serious.

Still, it might be wise to review the specials: reduce the attack
surface just in case a variable name happens to clash with something
that an attacker can filter through.

For specials of numeric type we appear to be doing math evaluation on
their values.
  OPTIND='3+4' zsh -c 'echo $OPTIND'
And if you think you can't do anything with math evaluation:
  x='`date >&2`' OPTIND='pipestatus[1${(e)x}]' zsh -c ':'

Other shells don't even import OPTIND. Would it perhaps make sense to
revert the sense of PM_DONTIMPORT and have a PM_IMPORT flag so any new
special is not imported unless whoever implements it actually gives it
some thought. PS1 etc have been imported since forever but what about
POSTEDIT, is that necessary? Also, this behaviour hardly seems useful:
  % status=45 zsh -cf 'echo hi'
  zsh: read-only variable: status

The various specials in the parameters can't be affected:
  % env functions='one two' zsh -cf ':'
  zsh: Can't add module parameter `functions': parameter already exists

Also, worth checking is unusual characters or invalid UTF-8 sequences
in the environment variable name. There's more processing here. Square
brackets in particular get some special treatment but don't seem to be a
problem:

For zsh the variable is missing (but passed on to child processes).
  env 'ARR[1]'=hello zsh -cf 'typeset -p|grep A\RR'

Interestingly, bash gets a variable with square brackets in the name:
  env 'ARR[3]'=hello bash -cf 'typeset -p|grep A\RR'
  declare -x ARR[3]
It ought to do proper quoting in typeset -p output though.

Ksh creates an array (and does a math evaluation).
  env 'ARR[21+47]'=hello ksh -cf 'typeset -p ARR'      
  typeset -x -a ARR=([68]=hello)

Oliver

Follow-Ups:
- Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash
  - From: Peter Stephenson

References:
- zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash
  - From: İsmail Dönmez
- Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash
  - From: Peter Stephenson

Messages sorted by: Reverse Date, Date, Thread, Author