iTerm2 SSH Conductor Trust Failure Vulnerability Analysis (Arbitrary Code Execution)

Vulnerability Summary: MAD Bugs: Even "cat readme.txt" is not safe Vulnerability Overview This is a security vulnerability targeting the iTerm2 terminal emulator. The flaw stems from a trust failure in iTerm2’s SSH integration feature (Conductor). Principle: During an SSH session, iTerm2 parses specific terminal escape sequences (OSC 135 and DCS 2080p) to communicate with a helper script (Conductor) on the remote side. Attack Vector: An attacker can craft a text file containing a forged Conductor protocol (e.g., ). When a user executes in iTerm2, iTerm2 incorrectly interprets the forged sequences in the file as legitimate Conductor commands. Impact: iTerm2 will execute the forged commands, including running and , ultimately leading to arbitrary code execution (ACE) on the local machine. Affected Scope Affected Software: iTerm2. Trigger Condition: User views a file containing maliciously crafted content in iTerm2 (e.g., executing ). Exploitation Method: No remote connection required; local file reading alone can trigger the exploit. Remediation Fix Status: The vulnerability has been fixed in iTerm2 commit . Note: As of the article’s publication, this fix has not yet been released in stable versions (Stable Releases). POC Code & Exploitation Steps 1. Script for Generating POC File ( ) Use the tool to generate the exploit file: 2. Structure of Generated Exploit Files The above script generates the following files: : An executable helper script. : A file containing malicious DCS 2080p and OSC 135 sequences. 3. Exploitation Steps To successfully exploit, perform the following actions: 1. Ensure the executable exists in the directory. 2. In iTerm2, run: 3. iTerm2 parses the forged protocol in and eventually executes , achieving code execution. 4. Brief Description of Core Exploitation Logic contains forged DCS 2080p hooks and OSC 135 replies. iTerm2 mistakenly treats this as a legitimate SSH Conductor session. The forged OSC 135 message simulates responses for and . Finally, iTerm2 constructs and executes a command whose payload is base64-encoded; the last chunk of data decodes to , thereby executing the local malicious script.

Goal Reached Thanks to every supporter — we hit 100%!

iTerm2 SSH Conductor Trust Failure Vulnerability Analysis (Arbitrary Code Execution)