Critical remote code execution flaw fixed in popular terminal app for macOS

A security audit sponsored by Mozilla uncovered a critical remote code execution (RCE) vulnerability in iTerm2, a popular open-source terminal app for macOS. The flaw can be exploited if an attacker can force maliciously crafted data to be outputted by the terminal application, typically in response to a command issued by the user.

ITerm2 is an open-source alternative to the built-in macOS Terminal app, which allows users to interact with the command-line shell. Terminal apps are commonly used by system administrators, developers and IT staff in general, including security teams, for a variety of tasks and day-to-day operations.

The iTerm2 app is a popular choice on macOS because it has features and allows customizations that the built-in Terminal doesn't, which is why the Mozilla Open Source Support Program (MOSS) decided to sponsor a code audit for it. The MOSS was created in the wake of the critical and wide-impact Heartbleed vulnerability in OpenSSL with the goal of sponsoring security audits for widely used open-source technologies.

"MOSS selected iTerm2 for a security audit because it processes untrusted data and it is widely used, including by high-risk targets (like developers and system administrators)," Mozilla said in a blog post announcing the newly discovered vulnerability.

The flaw, which is now tracked as CVE-2019-9535, has existed in iTerm2 for the past seven years and is located in the tmux integration. Tmux is a terminal multiplexer that allows running multiple sessions in the same terminal window by splitting the terminal screen.

Many ways to exploit iTerm2 vulnerability

To exploit the vulnerability, attackers need to produce specially crafted output to the user's terminal, and this can be done in many ways--for example, if the user is connected to an attacker-controlled SSH server, if they use the curl command to parse an attacker-controlled URL, or if they open a local file where the attacker was able to place data, like a web server log.

Successful exploitation can result in arbitrary command execution on the user's machine, which means that the vulnerability enables remote command injection attacks. "Typically, this vulnerability would require some degree of user interaction or trickery, but because it can be exploited via commands generally considered safe there is a high degree of concern about the potential impact," Mozilla said.

The flaw was fixed in iTerm2 version 3.3.6, which was released today, and users are advised to update as soon as possible. By default, the application should notify users that a new version is available. The app's developer, George Nachman, worked closely with Radically Open Security, the company that conducted the audit for MOSS, to develop a patch for the vulnerability.

The processing of untrusted data is one of the most common sources of vulnerabilities in applications. For many apps, including iTerm2, this attack vector cannot be avoided because connecting to and loading files from remote servers is one of their main features. When remote code execution flaws are found in such apps, deploying patches as soon as possible is critical because they are a favorite target for attackers.