Abusing url handling in iTerm2 and Hyper for code execution

Abusing url handling in iTerm2 and Hyper for code execution(vin01.github.io)

141 points by vin10 1 year ago | 56 comments

> This is of course a harmless PoC and you can try it out using docker pull vin01/escape-seq-test:latest --platform darwin/arm64 or docker run --rm vin01/escape-seq-test and you should see the injected link as shown below.

Wow, I wouldn't have expected `docker pull` in particular to allow arbitrary content injection. Does anyone know of any tools which scan images being pulled before passing them over to `docker` for processing?

yencabulator 1 year ago | |

> I wouldn't have expected `docker pull` in particular to allow arbitrary content injection.

Having read Docker source code and seen a repetitive pattern of silly mistakes with dire consequences, I emphatically would expect it to have such, and many other similar, issues.

My personal favorite is still the time they computed a hash of a download, but then failed to compare it to anything.

adrianceleste 1 year ago | |

I believe skopeo should allow you to: https://github.com/containers/skopeo

lxgr 1 year ago |

Slightly off-topic, but...

> Hyper is an Electron-based terminal

Why!?

pornel 1 year ago | |

Electron beatings will continue for as long as making a proper GUI for major platforms requires learning three different languages and four different UI toolkits, where every one of them is less flexible and harder to use than the web stack.

For developers Electron is the easiest way to have a portable UI, with very flexible and capable styling, decent text rendering, animations, and a layout and rendering engine optimized for a very broad range of use-cases, with fantastic developer tools.

lxgr 1 year ago | | |

I get that tradeoff, and I can see how it makes sense for apps that don't interface that much with the OS/UI they run on (although I'm still not a fan of the resource usage and the occasional UI yankiness).

But for a terminal emulator? These are pretty deeply integrated with the OS they run on and often run with elevated permissions and/or get to pass through passwords as they're entered! I can't imagine using one written in Electron.

omoikane 1 year ago |

Would it help if SSH clients don't pass TERM variable to identify that current terminal is capable of handling "\e]8" ? I assume TERM is how the remote application know that this exploit is available.

I also assume that this vulnerability is meant for remote apps accessed via SSH or similar, since a compromised app that is executed locally probably have easier exploits (they might just run calculator or whatever directly without going through escape sequences, for example).

Joker_vD 1 year ago | |

AFAIK, the remote applications simply do an isatty() check on the stdout and that's it; a proper terminal is then apparently expected to correctly skip and quietly ignore any OSC sequence it does not understand. See the source of ls [0], for example.

[0] https://github.com/coreutils/coreutils/blob/2a72cf1e9959f40b...

yencabulator 1 year ago | |

You don't need a "compromised app" if the escape codes are in a file you cat.

Groxx 1 year ago |

>Any links using those schemes when clicked, would open the MacOS terminal to perform the corresponding action.

I'm unclear which of these are being described:

1: when printed and clicked, they may be handled by the terminal, and the terminal's handling allows more behaviors than it should, allowing code execution

2: when printed, these urls are automatically executed by the shell, allowing code execution

Neither are good of course, but they're different levels of badness, and I feel like I must be missing a single critical word somewhere to be able to figure out which it is.

---

That said, oh boy I do not want this:

>Most terminal emulators these days allow using Osc 8 to directly generate hyperlinks from arbitrary text.

Is there a standard way to disable it? That sounds awful, terminals don't have even a small fraction of browsers' malicious-link-defense mechanisms (as demonstrated). I always want to see the full url in a terminal.

vin10 1 year ago | |

It is the first one, they need to be printed and clicked.

Joker_vD 1 year ago | | |

There is also another escape sequence, OSC 1337, apparently already implemented in iTerm2 [0], which makes iTerm2 open the URL instead of printing it:

    The hypothetical new control code is different because it does not display a hyperlink; it directly opens the link using the appropriate system URL handler.

[0] https://gitlab.com/gnachman/iterm2/-/issues/10994

Repulsion9513 1 year ago | |

You never want to see raw, attacker-supplied text in a terminal, actually.

Groxx 1 year ago | | |

It sure is a good thing we never run anything in our terminals without fully vetting all output.

     curl -s -L https://raw.githubusercontent.com/Groxx/rickrollrc/master/roll.sh | bash

lxgr 1 year ago | | |

Is that realistic?

Sure, text editors and viewers like vim or less can probably filter out terminal escape sequences, but should arbitrary programs printing (potentially user-supplied) strings to stdout have to?

Maybe terminal escape sequence processing should be opt-in (on a by-process/job level) rather than opt-out?

eviks 1 year ago | |

Think you can see the full url one mouse over in some terminals (and rebind what clicks do to disable opening)

classified 1 year ago |

I stopped using iTerm2 as soon as I learned it will open arbitrary URLs.

HunterWare 1 year ago | |

Huh, I just disabled it in Preferences and kept on rolling. This is the other viable option: Settings->Pointer->General and disable cmd-click opens filename/URL.

knodi123 1 year ago | | |

I enabled it because github's "turn this push into a PR" link is such a timesaver.

cobbal 1 year ago | |

It will only open the URLs after presenting a confirmation banner that says: "open this URL? http://example.com/", or if you command-click on a link.

philsnow 1 year ago |

At the very end of the article,

> Upgrade to iTerm2 3.5.0

I had just gotten the upgrade notification for 3.5.0 a few minutes ago. I scrolled through the release notes a bit and got to the "AI" section and I would like very much to get off this ride. I am grumpy and a terminal should be a terminal.

Features of iTerm2 I don't use and don't think belong in a terminal emulator:

  - tmux integration
  - shell integration
  - ssh integration
  - password manager integration
  - hooks
  - syntax highlighting *that's baked into the terminal*
  - installing its own python runtimes (?!)
  - ~blindly~ opening URLs when rendering a certain escape sequence [0]

[0] https://gitlab.com/gnachman/iterm2/-/issues/10994 the discussion in there makes it seem like it's okay because many schemes that aren't http[s] cause the browser to open a dialog box

Features of iTerm2 I use:

  - fullscreen without using MacOS's spaces implementation of fullscreen

.... This got away from me and went from grumpy muttering to a snarky rant. I like iTerm2, it's just starting to feel like somebody else's terminal, that's all.

Edit: tried to cross out "blindly" above, it does ask you whether you want to open the URL, though it offers to always allow it for that host which seems like it might be iffy, but at least if I never click "always allow", I'll be notified if anything tries to inject this OSC sequence.