A 7-year-old critical remote code execution vulnerability was found in iTerm2 macOS terminal emulator app which is one of the most popular open source substitute for Mac’s built-in terminal app.
The RCE vulnerability in iTerm2 which has been dubbed as CVE-2019-9535, was discovered as part of an independent security audit funded by the Mozilla Open Source Support Program (MOSS) and conducted by cybersecurity firm Radically Open Security (ROS).
According to Mozilla, MOSS selected iTerm2 for a security audit because it processes untrusted data, and it is widely used by high-risk targets like developers and system administrators).
Mozilla published a blog post which states that the RCE flaw resides in the tmux integration feature of iTerm2, which when exploited, could permit an attacker to execute arbitrary commands by providing malicious output to the terminal.
The potential attack vectors for this vulnerability include connecting to an attacker-controlled malicious SSH server, using commands like curl to fetch a malicious website, or using tail -f to follow a log file containing some malicious content.
This is demonstrated in the video below
The vulnerability can also be triggered using command-line utilities by tricking them into printing attacker-controlled content, eventually allowing attackers to execute arbitrary commands on the user’s Mac computer.
The vulnerability affects iTerm2 versions up to and including 3.3.5 and was patched with the release of iTerm2 3.3.6, the users can either download it manually or check for updates in the installed apps menu.