Possible exploit? unescaped shell meta characters

[sethdeckard]

I just recently switched to using this theme and happened to read about this exploit: https://github.com/njhartwell/pw3nage

I tested it on powerlevel9k and confirmed that it is vulnerable due to not escaping meta chars where they are displayed in the prompt (in this case the branch name of the git repo).

Steps to reproduce:

1. clone the repo: https://github.com/njhartwell/pw3nage
2. cd into the repo

The shell script included in the repo will execute due to the branch name $(./pw3n)

[shibumi]

Hello,
Thanks for reporting this issue. Could you please specify the version or commit in your description? Or are you talking about the current HEAD?

By the way, I tested this issue on my host with version v0.5.0.r0.gc4fdc8f-1.. v0.5.0 doesn't seem vulnerable. So the bugs are definitly in v0.6.0 and above.

[sethdeckard]

Hi @shibumi,
I reproduced this in the HEAD commit of master at the time of opening the issue.

If it matters I'm also using zsh 5.3.1 (x86_64-apple-darwin16.3.0) and the latest version of oh-my-zsh.

[dritter]

Hmm. I cannot reproduce it. Neither on master, nor on next..
I tested with OSX and ZSH 5.3.1 and Ubuntu 14.04. with ZSH 5.0.2.

Strange.

[dritter]

Did some more research and it turns out that the problem seems to be oh-my-zsh.
In the test-VM the theme is not vulnerable when I use the plain user (plain ZSH). But as soon as I switch to the oh-my-zsh user, the vulnerability shows up...

[bhilburn]

Also doesn't work for me on next or master. When I give it a go, it prints this error:

wall: cannot get tty name: Inappropriate ioctl for device

but does not execute.

Using zsh 5.2 (x86_64-redhat-linux-gnu) on Fedora 24, with OMZ latest commit being b908feebcfb from Feb 27th. Interesting that @sethdeckard's more recent version of ZSH seems to show this, but my older version does not.

I'd like to understand why it seems to be executing for @sethdeckard but no one else, just to be sure it's not a vulnerability in P9k. Any thoughts?

[dritter]

I'd like to understand why it seems to be executing for @sethdeckard but no one else, just to be sure it's not a vulnerability in P9k. Any thoughts?

As said, try it with OMZ (e.g. in the VM). Then it will execute. ;)

[TJuberg]

I cannot reproduce this on current master at least with zsh 5.3.1 (x86_64-unknown-linux-gnu)

So most likely something in OMZ being vulnerable.

[bhilburn]

@dritter - What's weird to me is that I'm using OMZ, too, but am not vulnerable. I'll dig into how the VM is setting things up as soon as a I get a chance.

@TJuberg - Thanks for the additional data point!

[dritter]

@bhilburn may it be that you disabled OMZs git plugin, and @sethdeckard enabled it?

[sethdeckard]

@dritter I do have the OMZ git plugin enabled but I just tried disabling it and it didn't make a difference.

[dritter]

Hmm. If I switch to another OMZ theme, it seems not vulnerable. So it might our problem after all...

[bhilburn]

Okay, I still can't replicate this, and following this thread I can't sort out what the variable is that triggers the issue. It doesn't sound like it's specific to ZSH 5.3 / 5.2 or OSX / Linux.

The interplay between OMZ and P9k, here, could be making things complex. It appears that the exploit only works if OMZ is being used in conjunction with P9k, but only specific versions of OMZ (again, I'm using OMZ and can't trigger it).

@dritter - Which version of ZSH / OMZ are you using when you see it trigger?

[theSoenke]

I can reproduce it with

• zsh 5.2
• OMZ master
• powerlevel9k master
• OS: Solus

Also no plugins enabled and i've tested it with a couple of other themes and only powerlevel9k was vulnerable

[bhilburn]

This is an open call for anyone knowledgeable about exploit analysis and ZSH who can help!

This is a long shot, but I wonder if @robbyrussell knows of any OMZ devs who might be able to take a peek at this.

[belak]

If I had to guess, only people who have prompt_subst set as an option somewhere outside this theme are seeing this issue. It doesn't appear if you use nopromptsubst.

[bhilburn]

@belak fixed this one in #486! Thanks so much for everyone's time in testing this and sharing configs, and thanks to @sethdeckard for originally reporting this! I greatly appreciate everyone's contributions to getting this resolved.