Zen C Compiler Command Injection Vulnerability Allowing Arbitrary Command Execution

A command injection vulnerability has been identified in the Zen C compiler, specifically in versions prior to 0.4.2. The issue allows local attackers to execute arbitrary shell commands by supplying a specially crafted output filename through the '-o' command-line argument. This vulnerability arises in the main application logic, where the compiler concatenates user-controlled filenames into a command string that is executed via the 'system()' function. The 'system()' function invokes a shell, which interprets shell metacharacters in the filename, leading to unauthorized command execution. Attackers can exploit this vulnerability by manipulating command-line arguments, such as through build scripts or CI/CD pipeline configurations, to execute commands with the privileges of the user running the compiler.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host system, with the commands being executed under the privileges of the user running the Zen C compiler.

Reproduction

To reproduce this vulnerability, compile a Zen C source file using the 'zc' compiler and include a malicious output filename with the '-o' flag. The injected command will be executed after the compilation process.

Remediation

Users are advised to update to Zen C version 0.4.2 or later, where this vulnerability has been fixed by removing 'system()' calls, implementing a new argument list management utility, and ensuring that command-line arguments are handled securely.