Full Report
Terminals are the most common way for developers to interact with computers. The control codes of this is conveyed in-band to the users. Escape sequences like \x1b[32m are a good example of this. The author decided to look into the iTerm2 emulator. Similar to phone phreaking back in the day, the goal of the attack is to use arbitrary characters printed to the terminal to change the control flow of the terminal itself. The idea behind the attack is sticking characters into stdin via terminal escape codes. By doing this, we can force a command to be executed. The payload is a complete mess to look at. But, the concept is simply this with various twists. For instance, the \x1b[5n code is a Device Status Report (DSR). This will end up pushes the character n to stdin. By using this, and various other things, we craft arbitrary commands. Then, we push the command arg1|m4 using various schengians of pushing data to stdin. The m4 command is a C/C++ macro engine, allowing for code execution via the previous input of syscmd(open -a Calculator). The line \x1bP1000p%session-changed $9 s\n acts a tmux (terminal multiplexor) command that will press enter for us, executing our command now in stdin. I don't fully understand the payload. There's a lot of juggling between things and the actual reason for searching through history isn't very well explained. Regardless, I loved the attack method and hope to see many more of these in the future.
Analysis Summary
# Vulnerability: Remote Code Execution via Terminal Escape Sequence Injection in iTerm2
## CVE Details
- **CVE ID:** CVE-2023-46300, CVE-2023-46301
- **CVSS Score:** Not explicitly listed in the article, but the impact is Arbitrary Remote Code Execution (High/Critical).
- **CWE:** CWE-78 (Improper Neutralization of Special Elements used in an OS Command) / CWE-159 (Improper Handling of Invalid Input).
## Affected Systems
- **Products:** iTerm2 (Terminal Emulator for macOS).
- **Versions:** Reported and confirmed on version 3.5.0beta10 and earlier.
- **Configurations:** Systems where iTerm2 is used to display untrusted or non-sanitized content (e.g., `cat`ing a malicious file, viewing logs, or connecting to a compromised remote server).
## Vulnerability Description
The vulnerability stems from the way iTerm2 handles "in-band" control codes (escape sequences). Specifically, certain non-standard features—Tmux integration and "Request upload"—mishandle escape sequences in a way that allows an attacker to inject characters, including a linefeed (`\n`), into the terminal's standard input (stdin).
By chaining specific escape sequences (Device Status Report, Request Status String, and XTREPORTSGR), an attacker can force the terminal to "reply" with specific strings to the shell. By carefully crafting these replies and using the `m4` macro processor or similar utilities to bypass shell sanitization, an attacker can place a command in the input buffer. The exploit concludes by using a tmux-specific escape sequence (`%session-changed`) to trigger a newline, executing the buffered command without user intervention.
## Exploitation
- **Status:** PoC available (demonstrated by the researcher).
- **Complexity:** High (requires precise "juggling" of buffers and knowledge of specific terminal responses).
- **Attack Vector:** Network/Remote (via any method that prints characters to the victim's terminal window).
## Impact
- **Confidentiality:** High (Full access to the local shell).
- **Integrity:** High (Ability to execute arbitrary commands).
- **Availability:** High (Potential for system takeover or denial of service).
## Remediation
### Patches
- iTerm2 users should update to the latest available version via the built-in update mechanism or by visiting the official site. The developer (gnachman) released patches shortly after the report.
### Workarounds
- Avoid displaying untrusted files or output from unknown sources directly in the terminal.
- Use a terminal that does not implement proprietary escape sequences for "Request upload" or "Tmux integration" until patched.
## Detection
- **Indicators of compromise:** Unusual commands appearing in shell history, such as `syscmd()`, `m4`, or commands containing unexpected escape sequences like `\x1bP1000p`.
- **Detection methods and tools:** Monitor terminal logs or process execution for suspicious activity originating from the terminal emulator process.
## References
- Vendor Site: [https://iterm2.com/]
- Researcher Blog: [https://blog.solidsnail.com/posts/2023-08-28-iterm2-rce]
- NVD CVE-2023-46300: [https://nvd.nist.gov/vuln/detail/CVE-2023-46300]
- NVD CVE-2023-46301: [https://nvd.nist.gov/vuln/detail/CVE-2023-46301]