GHSA-VG23-F593-6R27

Vulnerability from github – Published: 2021-12-01 00:00 – Updated: 2021-12-02 00:01

Details

Vulnerability in `rand-quote` and `hitokoto` plugins Description: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. Fixed in: 72928432. Impacted areas: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function).

{
  "affected": [],
  "aliases": [
    "CVE-2021-3727"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-30T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they\u0027re an external API, it\u0027s not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function).",
  "id": "GHSA-vg23-f593-6r27",
  "modified": "2021-12-02T00:01:08Z",
  "published": "2021-12-01T00:00:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3727"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2021-3727 (GCVE-0-2021-3727)

Vulnerability from cvelistv5 – Published: 2021-11-30 09:30 – Updated: 2024-08-03 17:01

Title

OS Command Injection in ohmyzsh/ohmyzsh

Summary

# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function).

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-78 - OS Command Injection

Assigner

@huntrdev

References

URL

Tags

https://github.com/ohmyzsh/ohmyzsh/commit/72928432

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	ohmyzsh	ohmyzsh/ohmyzsh	Affected: unspecified , < 72928432 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:01:08.331Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ohmyzsh/ohmyzsh",
          "vendor": "ohmyzsh",
          "versions": [
            {
              "lessThan": "72928432",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they\u0027re an external API, it\u0027s not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function)."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `rand-quote` or `hitokoto` plugins.\n3. Optional: run `quote` or `hitokoto` functions in a precmd hook:\n\n   ```zsh\n   add-zsh-hook precmd quote\n   add-zsh-hook precmd hitokoto\n   ```\n\n4. Wait until a quote from either `quotationspage.com` or `hitokoto.cn` contains either\n   `$(\u003cinjected-command\u003e`, \u003ccode\u003e\\`\\\u003cinjected-command\\\u003e\\`\u003c/code\u003e or `${(e):-\"\u003cinjected-command\u003e\"}`.\n\n   - For the `rand-quote` plugin, this is how a malicious quote would look like (note the `$(echo PWNED)` part):\n\n      ```plain\n      ...\n      \u003cp\u003eThe following quotations were randomly selected from  the collections selected below .\u003c/p\u003e\u003cdl\u003e\u003cdt class=\"quote\"\u003e\u003ca title=\"Click for further information about this quotation\" href=\"/quote/31081.html\"\u003eWhatever you fear most has no power$(echo PWNED) - it is your fear that has the power.\u003c/a\u003e \u003c/dt\u003e\u003cdd class=\"author\"\u003e\u003cdiv class=\"icons\"\u003e\u003ca title=\"Further information about this quotation\" href=\"/quote/31081.html\"\u003e\u003cimg src=\"/icon_info.gif\" width=\"16\" height=\"16\" alt=\"[info]\" border=\"0\"\u003e\u003c/a\u003e\u003ca title=\"Add to Your Quotations Page\" href=\"/myquotations.php?add=31081\"\u003e\u003cimg src=\"/icon_plus.gif\" width=\"16\" height=\"16\" alt=\"[add]\" border=\"0\"\u003e\u003c/a\u003e\u003ca title=\"Email this quotation\" href=\"/quote/31081.html#email\"\u003e\u003cimg src=\"/icon_email.gif\" width=\"16\" height=\"16\" alt=\"[mail]\" border=\"0\"\u003e\u003c/a\u003e\u003cimg src=\"/icon_blank.gif\" width=\"16\" height=\"16\" alt=\"\" border=\"0\"\u003e\u003c/div\u003e\u003cb\u003e\u003ca href=\"/quotes/Oprah_Winfrey/\"\u003eOprah Winfrey\u003c/a\u003e (1954 -  )\u003c/b\u003e, \u003ci\u003eO Magazine\u003c/i\u003e\u003c/dd\u003e\n      ...\n      ```\n\n      Which would be printed by `print -P` as:\n\n      ```console\n      $ quote\n      Oprah Winfrey: \u201cWhatever you fear most has no powerPWNED - it is your fear that has the power.\u201d\n      ```\n\n      Note that it\u0027s possible to submit your own quotes to quotationspage.com so this could be possible if moderators missed it.\n\n   - For the `hitokoto` plugin, this is an example of a malicious quote (note the `$(echo PWNED)` part):\n\n      ```plain\n      {\"id\":7474,\"uuid\":\"0467d7cf-bca2-4cee-81ab-0b0640e51069\",\"hitokoto\":\"\u5979\u62e8\u5f04\u7434\u5f26\uff0c$(echo PWNED)\u626c\u8d77\u6f6e\u6c50\u3002\",\"type\":\"e\",\"from\":\"\u539f\u521b\",\"from_who\":\"\u6211\",\"creator\":\"\u9e22\u5c3e\",\"creator_uid\":9969,\"reviewer\":4756,\"commit_from\":\"web\",\"created_at\":\"1627968443\",\"length\":11}\n      ```\n\n      Which would be printed by `print -P` as:\n\n      ```console\n      $ hitokoto\n      \u539f\u521b: \u201c\u5979\u62e8\u5f04\u7434\u5f26\uff0cPWNED\u626c\u8d77\u6f6e\u6c50\u3002\u201d\n      ```\n\n      `hitokoto.cn` also allows adding quotes to the database, so this could also be possible.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 OS Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-11-30T09:30:17",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432"
        }
      ],
      "title": "OS Command Injection in ohmyzsh/ohmyzsh",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2021-3727",
          "STATE": "PUBLIC",
          "TITLE": "OS Command Injection in ohmyzsh/ohmyzsh"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ohmyzsh/ohmyzsh",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "72928432"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ohmyzsh"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they\u0027re an external API, it\u0027s not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function)."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `rand-quote` or `hitokoto` plugins.\n3. Optional: run `quote` or `hitokoto` functions in a precmd hook:\n\n   ```zsh\n   add-zsh-hook precmd quote\n   add-zsh-hook precmd hitokoto\n   ```\n\n4. Wait until a quote from either `quotationspage.com` or `hitokoto.cn` contains either\n   `$(\u003cinjected-command\u003e`, \u003ccode\u003e\\`\\\u003cinjected-command\\\u003e\\`\u003c/code\u003e or `${(e):-\"\u003cinjected-command\u003e\"}`.\n\n   - For the `rand-quote` plugin, this is how a malicious quote would look like (note the `$(echo PWNED)` part):\n\n      ```plain\n      ...\n      \u003cp\u003eThe following quotations were randomly selected from  the collections selected below .\u003c/p\u003e\u003cdl\u003e\u003cdt class=\"quote\"\u003e\u003ca title=\"Click for further information about this quotation\" href=\"/quote/31081.html\"\u003eWhatever you fear most has no power$(echo PWNED) - it is your fear that has the power.\u003c/a\u003e \u003c/dt\u003e\u003cdd class=\"author\"\u003e\u003cdiv class=\"icons\"\u003e\u003ca title=\"Further information about this quotation\" href=\"/quote/31081.html\"\u003e\u003cimg src=\"/icon_info.gif\" width=\"16\" height=\"16\" alt=\"[info]\" border=\"0\"\u003e\u003c/a\u003e\u003ca title=\"Add to Your Quotations Page\" href=\"/myquotations.php?add=31081\"\u003e\u003cimg src=\"/icon_plus.gif\" width=\"16\" height=\"16\" alt=\"[add]\" border=\"0\"\u003e\u003c/a\u003e\u003ca title=\"Email this quotation\" href=\"/quote/31081.html#email\"\u003e\u003cimg src=\"/icon_email.gif\" width=\"16\" height=\"16\" alt=\"[mail]\" border=\"0\"\u003e\u003c/a\u003e\u003cimg src=\"/icon_blank.gif\" width=\"16\" height=\"16\" alt=\"\" border=\"0\"\u003e\u003c/div\u003e\u003cb\u003e\u003ca href=\"/quotes/Oprah_Winfrey/\"\u003eOprah Winfrey\u003c/a\u003e (1954 -  )\u003c/b\u003e, \u003ci\u003eO Magazine\u003c/i\u003e\u003c/dd\u003e\n      ...\n      ```\n\n      Which would be printed by `print -P` as:\n\n      ```console\n      $ quote\n      Oprah Winfrey: \u201cWhatever you fear most has no powerPWNED - it is your fear that has the power.\u201d\n      ```\n\n      Note that it\u0027s possible to submit your own quotes to quotationspage.com so this could be possible if moderators missed it.\n\n   - For the `hitokoto` plugin, this is an example of a malicious quote (note the `$(echo PWNED)` part):\n\n      ```plain\n      {\"id\":7474,\"uuid\":\"0467d7cf-bca2-4cee-81ab-0b0640e51069\",\"hitokoto\":\"\u5979\u62e8\u5f04\u7434\u5f26\uff0c$(echo PWNED)\u626c\u8d77\u6f6e\u6c50\u3002\",\"type\":\"e\",\"from\":\"\u539f\u521b\",\"from_who\":\"\u6211\",\"creator\":\"\u9e22\u5c3e\",\"creator_uid\":9969,\"reviewer\":4756,\"commit_from\":\"web\",\"created_at\":\"1627968443\",\"length\":11}\n      ```\n\n      Which would be printed by `print -P` as:\n\n      ```console\n      $ hitokoto\n      \u539f\u521b: \u201c\u5979\u62e8\u5f04\u7434\u5f26\uff0cPWNED\u626c\u8d77\u6f6e\u6c50\u3002\u201d\n      ```\n\n      `hitokoto.cn` also allows adding quotes to the database, so this could also be possible.\n"
          }
        ],
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-78 OS Command Injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432",
              "refsource": "MISC",
              "url": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2021-3727",
    "datePublished": "2021-11-30T09:30:17",
    "dateReserved": "2021-08-19T00:00:00",
    "dateUpdated": "2024-08-03T17:01:08.331Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-VG23-F593-6R27

CVE-2021-3727 (GCVE-0-2021-3727)

Tags

Sightings

Nomenclature