CVE-2021-3727 - OpenCVE

# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function).

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Planetargon	Oh My Zsh

Configuration 1 [-]

cpe:2.3:a:planetargon:oh_my_zsh:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/ohmyzsh/ohmyzsh/commit/72928432	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: @huntrdev

Published: 2021-11-30T09:30:17

Updated: 2021-11-30T09:30:17

Reserved: 2021-08-19T00:00:00

Link: CVE-2021-3727

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-11-30T10:15:08.940

Modified: 2021-12-01T08:05:03.300

Link: CVE-2021-3727

JSON object: View

Redhat Information

No data.

CWE

CWE-78

{"containers": {"cna": {"affected": [{"product": "ohmyzsh/ohmyzsh", "vendor": "ohmyzsh", "versions": [{"lessThan": "72928432", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function)."}], "exploits": [{"lang": "en", "value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `rand-quote` or `hitokoto` plugins.\n3. Optional: run `quote` or `hitokoto` functions in a precmd hook:\n\n ```zsh\n add-zsh-hook precmd quote\n add-zsh-hook precmd hitokoto\n ```\n\n4. Wait until a quote from either `quotationspage.com` or `hitokoto.cn` contains either\n `$(<injected-command>`, <code>\\`\\<injected-command\\>\\`</code> or `${(e):-\"<injected-command>\"}`.\n\n - For the `rand-quote` plugin, this is how a malicious quote would look like (note the `$(echo PWNED)` part):\n\n ```plain\n ...\n <p>The following quotations were randomly selected from the collections selected below .</p><dl><dt class=\"quote\"><a title=\"Click for further information about this quotation\" href=\"/quote/31081.html\">Whatever you fear most has no power$(echo PWNED) - it is your fear that has the power.</a> </dt><dd class=\"author\"><div class=\"icons\"><a title=\"Further information about this quotation\" href=\"/quote/31081.html\"><img src=\"/icon_info.gif\" width=\"16\" height=\"16\" alt=\"[info]\" border=\"0\"></a><a title=\"Add to Your Quotations Page\" href=\"/myquotations.php?add=31081\"><img src=\"/icon_plus.gif\" width=\"16\" height=\"16\" alt=\"[add]\" border=\"0\"></a><a title=\"Email this quotation\" href=\"/quote/31081.html#email\"><img src=\"/icon_email.gif\" width=\"16\" height=\"16\" alt=\"[mail]\" border=\"0\"></a><img src=\"/icon_blank.gif\" width=\"16\" height=\"16\" alt=\"\" border=\"0\"></div><b><a href=\"/quotes/Oprah_Winfrey/\">Oprah Winfrey</a> (1954 - )</b>, <i>O Magazine</i></dd>\n ...\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ quote\n Oprah Winfrey: \u201cWhatever you fear most has no powerPWNED - it is your fear that has the power.\u201d\n ```\n\n Note that it's possible to submit your own quotes to quotationspage.com so this could be possible if moderators missed it.\n\n - For the `hitokoto` plugin, this is an example of a malicious quote (note the `$(echo PWNED)` part):\n\n ```plain\n {\"id\":7474,\"uuid\":\"0467d7cf-bca2-4cee-81ab-0b0640e51069\",\"hitokoto\":\"\u5979\u62e8\u5f04\u7434\u5f26\uff0c$(echo PWNED)\u626c\u8d77\u6f6e\u6c50\u3002\",\"type\":\"e\",\"from\":\"\u539f\u521b\",\"from_who\":\"\u6211\",\"creator\":\"\u9e22\u5c3e\",\"creator_uid\":9969,\"reviewer\":4756,\"commit_from\":\"web\",\"created_at\":\"1627968443\",\"length\":11}\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ hitokoto\n \u539f\u521b: \u201c\u5979\u62e8\u5f04\u7434\u5f26\uff0cPWNED\u626c\u8d77\u6f6e\u6c50\u3002\u201d\n ```\n\n `hitokoto.cn` also allows adding quotes to the database, so this could also be possible.\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 OS Command Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-30T09:30:17", "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432"}], "title": "OS Command Injection in ohmyzsh/ohmyzsh", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@huntr.dev", "ID": "CVE-2021-3727", "STATE": "PUBLIC", "TITLE": "OS Command Injection in ohmyzsh/ohmyzsh"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ohmyzsh/ohmyzsh", "version": {"version_data": [{"version_affected": "<", "version_value": "72928432"}]}}]}, "vendor_name": "ohmyzsh"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function)."}]}, "exploit": [{"lang": "en", "value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `rand-quote` or `hitokoto` plugins.\n3. Optional: run `quote` or `hitokoto` functions in a precmd hook:\n\n ```zsh\n add-zsh-hook precmd quote\n add-zsh-hook precmd hitokoto\n ```\n\n4. Wait until a quote from either `quotationspage.com` or `hitokoto.cn` contains either\n `$(<injected-command>`, <code>\\`\\<injected-command\\>\\`</code> or `${(e):-\"<injected-command>\"}`.\n\n - For the `rand-quote` plugin, this is how a malicious quote would look like (note the `$(echo PWNED)` part):\n\n ```plain\n ...\n <p>The following quotations were randomly selected from the collections selected below .</p><dl><dt class=\"quote\"><a title=\"Click for further information about this quotation\" href=\"/quote/31081.html\">Whatever you fear most has no power$(echo PWNED) - it is your fear that has the power.</a> </dt><dd class=\"author\"><div class=\"icons\"><a title=\"Further information about this quotation\" href=\"/quote/31081.html\"><img src=\"/icon_info.gif\" width=\"16\" height=\"16\" alt=\"[info]\" border=\"0\"></a><a title=\"Add to Your Quotations Page\" href=\"/myquotations.php?add=31081\"><img src=\"/icon_plus.gif\" width=\"16\" height=\"16\" alt=\"[add]\" border=\"0\"></a><a title=\"Email this quotation\" href=\"/quote/31081.html#email\"><img src=\"/icon_email.gif\" width=\"16\" height=\"16\" alt=\"[mail]\" border=\"0\"></a><img src=\"/icon_blank.gif\" width=\"16\" height=\"16\" alt=\"\" border=\"0\"></div><b><a href=\"/quotes/Oprah_Winfrey/\">Oprah Winfrey</a> (1954 - )</b>, <i>O Magazine</i></dd>\n ...\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ quote\n Oprah Winfrey: \u201cWhatever you fear most has no powerPWNED - it is your fear that has the power.\u201d\n ```\n\n Note that it's possible to submit your own quotes to quotationspage.com so this could be possible if moderators missed it.\n\n - For the `hitokoto` plugin, this is an example of a malicious quote (note the `$(echo PWNED)` part):\n\n ```plain\n {\"id\":7474,\"uuid\":\"0467d7cf-bca2-4cee-81ab-0b0640e51069\",\"hitokoto\":\"\u5979\u62e8\u5f04\u7434\u5f26\uff0c$(echo PWNED)\u626c\u8d77\u6f6e\u6c50\u3002\",\"type\":\"e\",\"from\":\"\u539f\u521b\",\"from_who\":\"\u6211\",\"creator\":\"\u9e22\u5c3e\",\"creator_uid\":9969,\"reviewer\":4756,\"commit_from\":\"web\",\"created_at\":\"1627968443\",\"length\":11}\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ hitokoto\n \u539f\u521b: \u201c\u5979\u62e8\u5f04\u7434\u5f26\uff0cPWNED\u626c\u8d77\u6f6e\u6c50\u3002\u201d\n ```\n\n `hitokoto.cn` also allows adding quotes to the database, so this could also be possible.\n"}], "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78 OS Command Injection"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432", "refsource": "MISC", "url": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432"}]}}}}, "cveMetadata": {"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "cveId": "CVE-2021-3727", "datePublished": "2021-11-30T09:30:17", "dateReserved": "2021-08-19T00:00:00", "dateUpdated": "2021-11-30T09:30:17", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:planetargon:oh_my_zsh:*:*:*:*:*:*:*:*", "matchCriteriaId": "6F5DAA6D-AAD2-474D-881C-0DABE9C284CD", "versionEndExcluding": "72928432", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function)."}, {"lang": "es", "value": "# Vulnerabilidad en los plugins \"rand-quote\" y \"hitokoto\" **Descripci\u00f3n**: los plugins \"rand-quote\" y \"hitokoto\" obtienen las citas de quotationspage.com y hitokoto.cn respectivamente, realizan alg\u00fan proceso sobre ellas y luego usan \"print -P\" para imprimirlas. Si estas cotizaciones contienen los s\u00edmbolos apropiados, podr\u00edan desencadenar una inyecci\u00f3n de comandos. Dado que se trata de una API externa, no es posible saber si las comillas son seguras de usar. **Corregido en**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **\u00c1reas afectadas**: - Plugin \"rand-quote\" (funci\u00f3n \"quote\"). - Plugin \"hitokoto\" (funci\u00f3n \"hitokoto\")"}], "id": "CVE-2021-3727", "lastModified": "2021-12-01T08:05:03.300", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2021-11-30T10:15:08.940", "references": [{"source": "security@huntr.dev", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@huntr.dev", "type": "Primary"}]}