zsh utils.c:checkmailpath Function – Local Arbitrary Code Execution

Authors:Oliver Kiddle         Risk:High
CVE:CVE-2018-1100            0day:Arbitrary Code Execution 

0day-id:0DAY-1100             Date:2018-04-16


A vulnerability in the utils.c:checkmailpath function of the zsh utility could allow a local attacker to execute arbitrary code on a targeted system.

The vulnerability is due to improper bounds checking by the affected software when the utils.c:checkmailpath function, as defined in the Src/utils.c source code file of the affected software, is used. An attacker could exploit this vulnerability by creating a malicious message file that is designed to set a custom message and sending the file to a targeted user. If the user opens the message, a stack-based buffer overflow condition could occur, which the attacker could use to execute arbitrary code with the privileges of the user. If the user has elevated privileges, a successful exploit could result in a complete system compromise.

The vendor has confirmed the vulnerability and released software updates.


To exploit this vulnerability, an attacker must have local access to the affected system in order to create a malicious message file. In addition, the attacker must persuade a user to open the message file.



Administrators are advised to apply the appropriate updates.

Administrators are advised to allow only trusted users to access local systems.

Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.

Administrators are advised to monitor affected systems.