Even "cat readme.txt" is not safe
5 hours ago
- #security-vulnerability
- #iTerm2
- #code-execution
- The article describes a security vulnerability in iTerm2 where running 'cat readme.txt' can lead to arbitrary code execution.
- iTerm2's SSH integration feature uses a helper script called the conductor, which communicates via terminal escape sequences over a PTY.
- The core bug is that iTerm2 accepts conductor protocol messages from untrusted terminal output, allowing malicious files to impersonate a conductor.
- Exploitation involves a malicious file that forges DCS 2000p and OSC 135 sequences to trick iTerm2 into following a fake conductor workflow.
- The attack leverages controlled 'sshargs' to craft a base64-encoded payload that, when processed, executes a local executable file.
- The vulnerability results from PTY confusion, where commands meant for a remote conductor are instead processed by the local shell.
- A proof-of-concept is provided via a Python script, and the bug was fixed by iTerm2 following disclosure.