Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Zsh - Multiple DoS Vulnerabilities

X-seq: zsh-workers 44297
From: Peter Stephenson <p.stephenson@xxxxxxxxxxx>
To: <zsh-workers@xxxxxxx>
Subject: Re: Zsh - Multiple DoS Vulnerabilities
Date: Tue, 14 May 2019 17:38:21 +0100
Cms-type: 201P
Dkim-filter: OpenDKIM Filter v2.11.0 mailout2.w1.samsung.com 20190514163824euoutp02cfc25d5a8b5e2d451d9001db26092d2d~emg3AV5ha0303403034euoutp02t
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samsung.com; s=mail20170921; t=1557851905; bh=d3JML8lHvq/zsHSeyDgvi3dNpR67VSwKmkVVKlzta3w=; h=Subject:From:To:Date:In-Reply-To:References:From; b=PJDT2lJH3MvyU40inMP6fwNdH582ZkQBJwxVYp/kjLdfb0YtTF7kfKmAZm9BSf6qL 47a25RfZVvujaoJkDCB3+gsE9xKhMIRhPU52Jdnub5dYufdyz/bdS0b7noS7c9ihro 0N2iA62mhCH7svUGa0VbaX6Fge4iYwjrS181dCnw=
In-reply-to: <CAH+w=7Y8d0h43rM_dHhbiT8nvL3-zxF8DUWTjn--hPX8sF7iaA@mail.gmail.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <CAAOKOsfSAR5aRBvEcyQKRzDCvOgRJdyRvVb9AXMq6d22RaUozQ@mail.gmail.com> <CGME20190510202858epcas2p1fe84dfb674849201cf6088480c89f29e@epcas2p1.samsung.com> <CAH+w=7Y8d0h43rM_dHhbiT8nvL3-zxF8DUWTjn--hPX8sF7iaA@mail.gmail.com>

On Fri, 2019-05-10 at 13:27 -0700, Bart Schaefer wrote:
> On Fri, May 10, 2019 at 8:04 AM David Wells <bughunters@xxxxxxxxxxx> wrote:
> > 
> > 
> >     #1 Invalid read from *taddrstr *call in *text.c*
> >     POC folder: *01_taddstr_(text.c_148)*
> This has literal NUL bytes embedded in the body of an if/then.  Run
> from an interactive shell, it gives:
> 
>  text.c:995: unknown word code in gettext2()
>  text.c:995: unknown word code in gettext2()
>  text.c:72: attempting to decrement tindent below zero
>  text.c:72: attempting to decrement tindent below zero
> 
> and then (several seconds later) a crash.
> 
> The following minimal subset of their test will put the shell into an
> infinite loop, without (at least for as long as I was willing to wait)
> crashing it:
> 
> if true; then me > you || !
> :
> fi

So the best guess at the moment is the embedded NUL bytes are being
misinterpreted by whatever causes the text to be handled wrongly, so
they are only tangentially relevant?

That would fit with what I'm seeing, which is the infinite loop is in
gettext2(), before anything is executed.  This function tries to decode
wordcode set up by the parser, which is hard to debug because of the
strong correlation between the two completely separate bits of code (and
its own internal structure is a bit head-scratching, too).  Might be
interesting to perturb it until it just doesn't fail any more...

The parsing phase seemed to finish normally, as far as I could see.

pws

References:
- Zsh - Multiple DoS Vulnerabilities
  - From: David Wells
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Bart Schaefer

Messages sorted by: Reverse Date, Date, Thread, Author