Authors:Oliver Kiddle Risk：High CVE：CVE-2018-1100 0day:Arbitrary Code Execution 0day-id:0DAY-1100 Date：2018-04-16
A vulnerability in the utils.c:checkmailpath function of the zsh utility could allow a local attacker to execute arbitrary code on a targeted system.
The vulnerability is due to improper bounds checking by the affected software when the utils.c:checkmailpath function, as defined in the Src/utils.c source code file of the affected software, is used. An attacker could exploit this vulnerability by creating a malicious message file that is designed to set a custom message and sending the file to a targeted user. If the user opens the message, a stack-based buffer overflow condition could occur, which the attacker could use to execute arbitrary code with the privileges of the user. If the user has elevated privileges, a successful exploit could result in a complete system compromise.
The vendor has confirmed the vulnerability and released software updates.
Administrators are advised to allow only trusted users to access local systems.
Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.
Administrators are advised to monitor affected systems.