Tabby Control Character Handling Vulnerability Leading to Code Execution

A code execution vulnerability exists in Tabby (formerly Terminus) versions prior to 1.0.233. The issue arises because the application does not properly escape control characters in file paths when files are dragged and dropped into the terminal. This oversight allows for the execution of arbitrary code.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the victim's machine. Although the user must manually drag and drop a file with a name containing a malicious command, the payload can be concealed by adding non-malicious text to the filename, pushing the harmful command out of sight in the file manager.

Reproduction

To reproduce this vulnerability, first create a file with a name that includes a command payload, such as 'gnome-calculator' preceded by a control character that simulates a 'CTRL+C' action, and followed by a carriage return control character. Once the file is created, open Tabby and drag and drop the file into the terminal. The control characters will be interpreted, and the command will be executed.

Remediation

Users are advised to update to Tabby version 1.0.233 or later, where this vulnerability has been fixed.