Inspektor Gadget Unsanitized ANSI Escape Sequences Vulnerability in Columns Output Mode

A vulnerability exists in Inspektor Gadget versions through 0.49.0, where the 'columns' output mode fails to sanitize string fields from eBPF events before rendering them in the terminal. This lack of sanitization allows a maliciously crafted event payload from an observed container to inject escape sequences into the terminals of Inspektor Gadget operators, potentially leading to various effects. The 'columns' output mode is the default when running Inspektor Gadget interactively.

Impact

Exploitation of this vulnerability can cause log injection by manipulating how log entries are displayed, such as overwriting existing logs or inserting new ones. Additionally, using Operating System Command ANSI escape sequences could disrupt terminal operations, such as causing a denial-of-service condition, interfering with clipboard contents, creating hyperlinks to attacker-controlled servers, changing window titles, or potentially executing code, as demonstrated in a referenced proof-of-concept.

Reproduction

To reproduce this vulnerability, set up a Linux host and install Inspektor Gadget version 0.48.0. Run 'sudo ig run trace_open -c poc-escape-inject' in one terminal, while another terminal executes a script that injects ANSI escape sequences into the 'columns' output. The injected sequences can overwrite logged information, such as entries from sensitive files, demonstrating the vulnerability by tampering with the log injection.

Remediation

Users can upgrade to Inspektor Gadget version 0.49.1, which addresses this vulnerability by sanitizing output in the 'columns' mode to prevent escape sequences from being interpreted by the terminal.