Re: Zsh - Multiple DoS Vulnerabilities

[Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>]

On Fri, May 10, 2019 at 8:04 AM David Wells <bughunters@xxxxxxxxxxx> wrote:
>
>     #1 Invalid read from *taddrstr *call in *text.c*
>     POC folder: *01_taddstr_(text.c_148)*

This has literal NUL bytes embedded in the body of an if/then.  Run
from an interactive shell, it gives:

 text.c:995: unknown word code in gettext2()
 text.c:995: unknown word code in gettext2()
 text.c:72: attempting to decrement tindent below zero
 text.c:72: attempting to decrement tindent below zero

and then (several seconds later) a crash.

The following minimal subset of their test will put the shell into an
infinite loop, without (at least for as long as I was willing to wait)
crashing it:

if true; then me > you || !
:
fi

>     #2 Invalid read from *execcmd_analyse *in *exec.c*
>     POC folder: *02_execcmd_analyse_(exec.c_3653)*

The test case is 3kb of a mangled shell script (missing closing
quotes, random bytes inserted) so I'm not going to attempt to reduce
it to a minimal case.  Feeding it to "zsh -nf" yields:

11: exec.c:2655: BUG: miscounted typeset assignments
11: exec.c:2655: BUG: miscounted typeset assignments
11: exec.c:2655: BUG: miscounted typeset assignments
11: exec.c:2655: BUG: miscounted typeset assignments

and then after several seconds a crash.  I did not attempt feeding
this (or #3 - #5) through a shell that does not have the -n option,
because I don't have a secure sandbox in which to run scripts I can't
visually verify.

>     #3 Invalid read from *dupstring *in *string.c*
>     POC folder:  *03_dupstring_(string.c_39)*

This gives exactly the same errors as #2, and then exits with

[long ugly filename]:87: parse error near `}'

>     #4 Invalid read from *bin_print *in *builtin.c*
>     POC folder: *04_bin_print_(builtin.c_5009)*

This produces no error output at all except for:

[long ugly filename]:41: parse error near `)'

>     #5 Invalid read from *untokenize *in *exec.c*
>     POC folder: *05_untokenize_(exec.c_1994)*

Again no error except:

[long ugly filename]:94: parse error near `}'

>     #6 Invalid read from *getjob *in *jobs.c*
>     POC folder: *06_getjob_(jobs.c_1935)*

This one I fed to "zsh -xf" and got (file name removed for readability):

+1> bg $'%\M-\C-?' $'\C-VI7'
bg:1: no job control in this shell.
+1> disown $'%777777777777777\M-^'
+1> $'\C-['
+1> $'\C-X\C-@\C-@\C-@@\C-@7'
1: command not found: ^[
1: command not found: ^X

followed eventually by a crash.  The input has multiple NUL bytes
following the ^X, and then some other misc. garbage, so the input
processing may have a generic problem with NULs.

>     #7 Invalid read from *hasher *in *hashtable.c*
>     POC folder: *07_hasher_(hashtable.c_85)*

For this one "zsh -xf" says:

+1> foset :print $'\C-@\C-@\C-@hree'
1: command not found: foset
+1> set -E e
+2> typeset -priTt CeE e

and then just goes away until killed.  Only that final typeset is
necessary to reproduce the bug, the rest is irrelevant.