Security Vulnerability in iTerm2: 'cat readme.txt' Command Can Enable Arbitrary Code Execution
By
arkadiyt
1mo ago· 5 min readenInsight
80/100
Golden Brown
Bagelometer↗
An everything bagel for the brain. Substantive, layered, well-seasoned.
Score80TypeanalysisSentimentnegative
Summary
The article reveals a security vulnerability in iTerm2 where the seemingly harmless command 'cat readme.txt' can be exploited for arbitrary code execution. This occurs due to iTerm2's SSH integration feature and how it uses PTY (pseudo-terminal) when terminal output can impersonate one side of the feature's protocol. The research was conducted in partnership with OpenAI, building on previous work about AI-discovered bugs in Vim and Emacs.
Key quotes
· 5 pulledIt turns out that it is NOT, if you use iTerm2.
That looks insane until you understand what iTerm2 is trying to do for a legitimate feature, how it uses the PTY, and what happens when terminal output is able to impersonate one side of that feature's protocol.
We'd like to acknowledge OpenAI for partnering with us on this project.
iTerm2 has an SSH integration feature
Turning 'cat readme.txt' into arbitrary code execution in iTerm2.
Turning "cat readme.txt" into arbitrary code execution in iTerm2.
