Tabby Terminal Emulator Unsafe Protocol Handler Execution Vulnerability

A vulnerability in Tabby (formerly Terminus) terminal emulator, prior to version 1.0.232, allows for unsafe execution of protocol handlers. The issue arises because the terminal linkifier directly passes detected URIs to the operating system's protocol handler without validating the protocol scheme. This flaw enables a malicious SSH or Telnet server to send crafted terminal output with dangerous protocol URIs. When clicked, these links trigger arbitrary OS protocol handlers on the user's machine. On unpatched Windows systems, this could lead to remote code execution via known protocol handler exploits.

Impact

Exploitation of this vulnerability allows for arbitrary execution of operating system protocol handlers, with potential remote code execution on unpatched Windows systems through known protocol handler exploits such as Follina (CVE-2022-30190).

Reproduction

The vulnerability can be reproduced by connecting to a malicious SSH or Telnet server that sends terminal output containing a crafted URI, such as 'vscode://', 'ms-msdt://', or 'zoommtg://'. Tabby will linkify the URI, and clicking on it will invoke the corresponding OS protocol handler without any validation or warning.

Remediation

Users are advised to update to Tabby version 1.0.232 or later. All users should also avoid clicking on application protocol links in SSH or Telnet sessions that they do not understand or trust.