Tabby Terminal Emulator ZMODEM Protocol Auto-Confirmation Leading to Shell Command Execution Vulnerability

A vulnerability in Tabby (formerly Terminus) terminal emulator versions prior to 1.0.233 allows for shell command execution through an automatic confirmation of ZMODEM protocol detection on all terminal session output. This unprompted confirmation enables the execution of commands when a user views content controlled by an attacker. The issue arises because the ZModemMiddleware in tabby-terminal processes all session output, and upon detecting a ZMODEM ZRQINIT header, it automatically confirms the detection and sends a fixed ZRINIT response back into the active pseudo-terminal (PTY) as input. When the process that triggered the detection, such as 'cat', finishes, the injected bytes are interpreted by the user's shell as a command. This vulnerability can be exploited under fish, bash, and zsh shells, with different methods of execution depending on the shell in use.

Impact

Exploitation leads to one-time local code execution in the user's shell, with the executed code running under the user's privileges.

Reproduction

The vulnerability can be reproduced by cloning a malicious Git repository containing a crafted file that triggers the ZMODEM detection. After cloning the repository, the file can be displayed using the 'cat' command, which will result in the execution of an injected command. This can be done manually or using a provided proof-of-concept script.

Remediation

Users can update to Tabby version 1.0.233 or later, where this vulnerability has been fixed.