CVE-2021-3727 (GCVE-0-2021-3727)
Vulnerability from cvelistv5 – Published: 2021-11-30 09:30 – Updated: 2024-08-03 17:01
VLAI?
Title
OS Command Injection in ohmyzsh/ohmyzsh
Summary
# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function).
Severity ?
7.5 (High)
CWE
- CWE-78 - OS Command Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ohmyzsh | ohmyzsh/ohmyzsh |
Affected:
unspecified , < 72928432
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:08.331Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ohmyzsh/ohmyzsh",
"vendor": "ohmyzsh",
"versions": [
{
"lessThan": "72928432",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they\u0027re an external API, it\u0027s not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function)."
}
],
"exploits": [
{
"lang": "en",
"value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `rand-quote` or `hitokoto` plugins.\n3. Optional: run `quote` or `hitokoto` functions in a precmd hook:\n\n ```zsh\n add-zsh-hook precmd quote\n add-zsh-hook precmd hitokoto\n ```\n\n4. Wait until a quote from either `quotationspage.com` or `hitokoto.cn` contains either\n `$(\u003cinjected-command\u003e`, \u003ccode\u003e\\`\\\u003cinjected-command\\\u003e\\`\u003c/code\u003e or `${(e):-\"\u003cinjected-command\u003e\"}`.\n\n - For the `rand-quote` plugin, this is how a malicious quote would look like (note the `$(echo PWNED)` part):\n\n ```plain\n ...\n \u003cp\u003eThe following quotations were randomly selected from the collections selected below .\u003c/p\u003e\u003cdl\u003e\u003cdt class=\"quote\"\u003e\u003ca title=\"Click for further information about this quotation\" href=\"/quote/31081.html\"\u003eWhatever you fear most has no power$(echo PWNED) - it is your fear that has the power.\u003c/a\u003e \u003c/dt\u003e\u003cdd class=\"author\"\u003e\u003cdiv class=\"icons\"\u003e\u003ca title=\"Further information about this quotation\" href=\"/quote/31081.html\"\u003e\u003cimg src=\"/icon_info.gif\" width=\"16\" height=\"16\" alt=\"[info]\" border=\"0\"\u003e\u003c/a\u003e\u003ca title=\"Add to Your Quotations Page\" href=\"/myquotations.php?add=31081\"\u003e\u003cimg src=\"/icon_plus.gif\" width=\"16\" height=\"16\" alt=\"[add]\" border=\"0\"\u003e\u003c/a\u003e\u003ca title=\"Email this quotation\" href=\"/quote/31081.html#email\"\u003e\u003cimg src=\"/icon_email.gif\" width=\"16\" height=\"16\" alt=\"[mail]\" border=\"0\"\u003e\u003c/a\u003e\u003cimg src=\"/icon_blank.gif\" width=\"16\" height=\"16\" alt=\"\" border=\"0\"\u003e\u003c/div\u003e\u003cb\u003e\u003ca href=\"/quotes/Oprah_Winfrey/\"\u003eOprah Winfrey\u003c/a\u003e (1954 - )\u003c/b\u003e, \u003ci\u003eO Magazine\u003c/i\u003e\u003c/dd\u003e\n ...\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ quote\n Oprah Winfrey: \u201cWhatever you fear most has no powerPWNED - it is your fear that has the power.\u201d\n ```\n\n Note that it\u0027s possible to submit your own quotes to quotationspage.com so this could be possible if moderators missed it.\n\n - For the `hitokoto` plugin, this is an example of a malicious quote (note the `$(echo PWNED)` part):\n\n ```plain\n {\"id\":7474,\"uuid\":\"0467d7cf-bca2-4cee-81ab-0b0640e51069\",\"hitokoto\":\"\u5979\u62e8\u5f04\u7434\u5f26\uff0c$(echo PWNED)\u626c\u8d77\u6f6e\u6c50\u3002\",\"type\":\"e\",\"from\":\"\u539f\u521b\",\"from_who\":\"\u6211\",\"creator\":\"\u9e22\u5c3e\",\"creator_uid\":9969,\"reviewer\":4756,\"commit_from\":\"web\",\"created_at\":\"1627968443\",\"length\":11}\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ hitokoto\n \u539f\u521b: \u201c\u5979\u62e8\u5f04\u7434\u5f26\uff0cPWNED\u626c\u8d77\u6f6e\u6c50\u3002\u201d\n ```\n\n `hitokoto.cn` also allows adding quotes to the database, so this could also be possible.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-30T09:30:17",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432"
}
],
"title": "OS Command Injection in ohmyzsh/ohmyzsh",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3727",
"STATE": "PUBLIC",
"TITLE": "OS Command Injection in ohmyzsh/ohmyzsh"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ohmyzsh/ohmyzsh",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "72928432"
}
]
}
}
]
},
"vendor_name": "ohmyzsh"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they\u0027re an external API, it\u0027s not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function)."
}
]
},
"exploit": [
{
"lang": "en",
"value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `rand-quote` or `hitokoto` plugins.\n3. Optional: run `quote` or `hitokoto` functions in a precmd hook:\n\n ```zsh\n add-zsh-hook precmd quote\n add-zsh-hook precmd hitokoto\n ```\n\n4. Wait until a quote from either `quotationspage.com` or `hitokoto.cn` contains either\n `$(\u003cinjected-command\u003e`, \u003ccode\u003e\\`\\\u003cinjected-command\\\u003e\\`\u003c/code\u003e or `${(e):-\"\u003cinjected-command\u003e\"}`.\n\n - For the `rand-quote` plugin, this is how a malicious quote would look like (note the `$(echo PWNED)` part):\n\n ```plain\n ...\n \u003cp\u003eThe following quotations were randomly selected from the collections selected below .\u003c/p\u003e\u003cdl\u003e\u003cdt class=\"quote\"\u003e\u003ca title=\"Click for further information about this quotation\" href=\"/quote/31081.html\"\u003eWhatever you fear most has no power$(echo PWNED) - it is your fear that has the power.\u003c/a\u003e \u003c/dt\u003e\u003cdd class=\"author\"\u003e\u003cdiv class=\"icons\"\u003e\u003ca title=\"Further information about this quotation\" href=\"/quote/31081.html\"\u003e\u003cimg src=\"/icon_info.gif\" width=\"16\" height=\"16\" alt=\"[info]\" border=\"0\"\u003e\u003c/a\u003e\u003ca title=\"Add to Your Quotations Page\" href=\"/myquotations.php?add=31081\"\u003e\u003cimg src=\"/icon_plus.gif\" width=\"16\" height=\"16\" alt=\"[add]\" border=\"0\"\u003e\u003c/a\u003e\u003ca title=\"Email this quotation\" href=\"/quote/31081.html#email\"\u003e\u003cimg src=\"/icon_email.gif\" width=\"16\" height=\"16\" alt=\"[mail]\" border=\"0\"\u003e\u003c/a\u003e\u003cimg src=\"/icon_blank.gif\" width=\"16\" height=\"16\" alt=\"\" border=\"0\"\u003e\u003c/div\u003e\u003cb\u003e\u003ca href=\"/quotes/Oprah_Winfrey/\"\u003eOprah Winfrey\u003c/a\u003e (1954 - )\u003c/b\u003e, \u003ci\u003eO Magazine\u003c/i\u003e\u003c/dd\u003e\n ...\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ quote\n Oprah Winfrey: \u201cWhatever you fear most has no powerPWNED - it is your fear that has the power.\u201d\n ```\n\n Note that it\u0027s possible to submit your own quotes to quotationspage.com so this could be possible if moderators missed it.\n\n - For the `hitokoto` plugin, this is an example of a malicious quote (note the `$(echo PWNED)` part):\n\n ```plain\n {\"id\":7474,\"uuid\":\"0467d7cf-bca2-4cee-81ab-0b0640e51069\",\"hitokoto\":\"\u5979\u62e8\u5f04\u7434\u5f26\uff0c$(echo PWNED)\u626c\u8d77\u6f6e\u6c50\u3002\",\"type\":\"e\",\"from\":\"\u539f\u521b\",\"from_who\":\"\u6211\",\"creator\":\"\u9e22\u5c3e\",\"creator_uid\":9969,\"reviewer\":4756,\"commit_from\":\"web\",\"created_at\":\"1627968443\",\"length\":11}\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ hitokoto\n \u539f\u521b: \u201c\u5979\u62e8\u5f04\u7434\u5f26\uff0cPWNED\u626c\u8d77\u6f6e\u6c50\u3002\u201d\n ```\n\n `hitokoto.cn` also allows adding quotes to the database, so this could also be possible.\n"
}
],
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432",
"refsource": "MISC",
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3727",
"datePublished": "2021-11-30T09:30:17",
"dateReserved": "2021-08-19T00:00:00",
"dateUpdated": "2024-08-03T17:01:08.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2021-3727\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2021-11-30T10:15:08.940\",\"lastModified\":\"2024-11-21T06:22:15.777\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they\u0027re an external API, it\u0027s not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function).\"},{\"lang\":\"es\",\"value\":\"# Vulnerabilidad en los plugins \\\"rand-quote\\\" y \\\"hitokoto\\\" **Descripci\u00f3n**: los plugins \\\"rand-quote\\\" y \\\"hitokoto\\\" obtienen las citas de quotationspage.com y hitokoto.cn respectivamente, realizan alg\u00fan proceso sobre ellas y luego usan \\\"print -P\\\" para imprimirlas. Si estas cotizaciones contienen los s\u00edmbolos apropiados, podr\u00edan desencadenar una inyecci\u00f3n de comandos. Dado que se trata de una API externa, no es posible saber si las comillas son seguras de usar. **Corregido en**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **\u00c1reas afectadas**: - Plugin \\\"rand-quote\\\" (funci\u00f3n \\\"quote\\\"). - Plugin \\\"hitokoto\\\" (funci\u00f3n \\\"hitokoto\\\")\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:planetargon:oh_my_zsh:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"72928432\",\"matchCriteriaId\":\"6F5DAA6D-AAD2-474D-881C-0DABE9C284CD\"}]}]}],\"references\":[{\"url\":\"https://github.com/ohmyzsh/ohmyzsh/commit/72928432\",\"source\":\"security@huntr.dev\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/ohmyzsh/ohmyzsh/commit/72928432\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…