iTerm2 Code Execution Vulnerability via DCS 2000p and OSC 135

A code execution vulnerability has been identified in iTerm2 versions through 3.6.9. The issue arises when a .txt file is displayed, allowing for execution of arbitrary code through DCS 2000p and OSC 135 data. This exploitation occurs if the working directory contains a malicious file with a name that can be generated by the conductor encoding path, such as one starting with 'ace/c+'. The vulnerability exists because iTerm2 improperly handles the SSH conductor protocol, accepting unverified data that can trigger code execution.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected system.

Reproduction

To reproduce this vulnerability, place a malicious file in the working directory that has a name valid under the conductor encoding path, such as one starting with 'ace/c+'. Then, open a .txt file in iTerm2 version 3.6.9 or earlier. The terminal will process the DCS 2000p and OSC 135 data from the text file, executing the code from the maliciously named file.

Remediation

Users can update to iTerm2 version 3.6.10beta1, which includes a fix for this vulnerability. This beta version can be downloaded from the iTerm2 website.