Re: Zsh - Multiple DoS Vulnerabilities

[Mikael Magnusson <mikachu@xxxxxxxxx>]

On 5/14/19, Oliver Kiddle <okiddle@xxxxxxxxxxx> wrote:
> On 10 May, Bart wrote:
>> On Fri, May 10, 2019 at 8:04 AM David Wells <bughunters@xxxxxxxxxxx>
>> wrote:
>> >
>> >     #1 Invalid read from *taddrstr *call in *text.c*
>> >     POC folder: *01_taddstr_(text.c_148)*
>>
>> and then (several seconds later) a crash.
>>
>> The following minimal subset of their test will put the shell into an
>> infinite loop, without (at least for as long as I was willing to wait)
>> crashing it:
>>
>> if true; then me > you || !
>> :
>> fi
>
> I'm finding this one will crash on Linux but hang on FreeBSD. And not
> crash with true as the condition. A variety of things can be used in the
> condition. while .. do .. done can be used in place of if .. then .. fi,
> && or ||. The me > you part can be cut down to :. Try the following:
>
>   if [[ m -eq y ]]; then
>     : && !
>     :
>   fi
>
> Where I had a crash, it was interpreting the wordcode in ecgetstr().
> Where it does r = s->strs + (c >> 2), c had an infeasibly large value
> causing it to index well beyond the range of s->strs. I'd be inclined to
> suspect the problem comes earlier when parsing this into wordcode.
>
> Issues #2, #3 and #5 are not separate issues but slight variations all
> leading to the typeset followed by braces bug. So thanks to Peter, I think
> those are all now fixed leaving this (#1) as the only one outstanding.

Might it be worth adding some type of check to the ecgetstr() code, so
we get a DPUTS instead of a crash if c>>2 is incredibly large? I'm not
sure atm how this would be determined, or what typical values are, but
I think two of these issues led to a crash here. We could also get
arbitrary bytecode from a modified .zwc file although of course in
that case you've already los tany security. Still would be nice to not
crash from misparsing it though.

-- 
Mikael Magnusson