Electerm Remote Code Execution Vulnerability in SFTP File Editing Feature

A remote code execution vulnerability has been identified in Electerm versions prior to 3.7.9. The issue arises in the SFTP 'open with system editor' or 'Edit with custom editor' features. When a user selects to edit a file, the filename is transmitted directly to the command line without proper sanitization. This flaw can be exploited by a malicious actor controlling the SSH server or the user's operating system, who can craft a filename with shell metacharacters. If the user then attempts to edit the file, the injected commands are executed on their machine with the user's privileges. This exploitation could enable the attacker to run arbitrary code, install malware, or move laterally within the network.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected user's machine, with the potential to execute arbitrary commands, install malicious software, or facilitate lateral movement within a network.

Reproduction

To reproduce this vulnerability, upload a file to an SFTP server that is controlled by the attacker. Ensure the filename includes shell metacharacters. Then, using Electerm version 3.7.8 or earlier, select the file and choose to edit it with the system editor or a custom editor. The application will execute the injected commands on the user's machine via PowerShell or the open command, depending on the operating system.

Remediation

Users can update to Electerm version 3.7.9 or later, where this vulnerability has been patched. Instructions for downloading the latest version are available on the Electerm GitHub Releases page.