CVE-2021-3727
📋 TL;DR
This CVE-2021-3727 is a command injection vulnerability in Oh My Zsh's rand-quote and hitokoto plugins. When these plugins fetch quotes from external APIs (quotationspage.com and hitokoto.cn), malicious quote content containing shell metacharacters could execute arbitrary commands on the user's system. Users who have enabled either of these plugins in their Oh My Zsh configuration are affected.
💻 Affected Systems
- Oh My Zsh
📦 What is this software?
Oh My Zsh by Planetargon
⚠️ Risk & Real-World Impact
Worst Case
An attacker controlling the external API responses could execute arbitrary commands with the privileges of the user running Zsh, potentially leading to full system compromise, data theft, or lateral movement.
Likely Case
Malicious quote content could execute limited commands, potentially stealing session data, modifying files, or establishing persistence.
If Mitigated
With proper input validation and sanitization, the risk is eliminated as malicious quote content would be treated as plain text rather than executable code.
🎯 Exploit Status
Exploitation requires: 1) User has vulnerable plugin enabled, 2) User runs the plugin command, 3) External API returns malicious quote content with shell metacharacters, 4) Proper shell environment conditions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 72928432 or later
Vendor Advisory: https://github.com/ohmyzsh/ohmyzsh/commit/72928432
Restart Required: No
Instructions:
1. Update Oh My Zsh to latest version: 'omz update' 2. Alternatively, manually apply commit 72928432 3. Restart Zsh terminal session
🔧 Temporary Workarounds
Disable vulnerable plugins
allRemove rand-quote and hitokoto plugins from your Oh My Zsh configuration
Edit ~/.zshrc and remove 'rand-quote' and 'hitokoto' from plugins array
Then run: source ~/.zshrc
Use safe quote sources
allConfigure plugins to use trusted, local quote sources instead of external APIs
Create local quote files and modify plugin configuration to use them
🧯 If You Can't Patch
- Disable the rand-quote and hitokoto plugins immediately
- Implement network controls to block connections to quotationspage.com and hitokoto.cn
🔍 How to Verify
Check if Vulnerable:
Check if rand-quote or hitokoto plugins are enabled in ~/.zshrc and if Oh My Zsh version predates commit 72928432Check Version:
cd ~/.oh-my-zsh && git log --oneline -1Verify Fix Applied:
Verify Oh My Zsh is updated past commit 72928432 and check that quote functions properly sanitize input📡 Detection & Monitoring
Log Indicators:
- Unusual command execution following quote plugin usage
- Network connections to quotationspage.com or hitokoto.cn with suspicious timing
Network Indicators:
- Outbound connections to quotationspage.com or hitokoto.cn from Zsh processes
SIEM Query:
process:zsh AND (network.destination:quotationspage.com OR network.destination:hitokoto.cn) AND process.command_line:*quote*