Exploiting iTerm2's SSH Integration Vulnerability

In exploring the safety of using 'cat readme.txt' in iTerm2, I discovered a significant vulnerability tied to its SSH integration feature. iTerm2 enhances remote session understanding by using a helper script called the conductor, which communicates through terminal escape sequences. However, this setup allows untrusted terminal output to impersonate the conductor, leading to potential exploits.

The vulnerability arises because iTerm2 accepts SSH conductor protocols from any terminal output, not just from a trusted source. This means a malicious file or server response can mimic the conductor's communication, tricking iTerm2 into executing commands as if it were in a legitimate SSH session.

An exploit file can contain fake conductor messages, which iTerm2 processes as genuine. This includes a forged DCS 2000p hook and OSC 135 replies, which prompt iTerm2 to initiate its conductor workflow. The exploit leverages iTerm2's behavior to execute arbitrary commands by encoding them in a way that appears valid to the terminal.

The exploit is crafted by creating a file with malicious sequences and an executable script that iTerm2 mistakenly interacts with as a legitimate conductor. This allows the attacker to execute commands on the victim's machine by simply running 'cat readme.txt'.

After discovering the bug, I reported it to iTerm2, and a fix was quickly implemented, though it has not yet reached stable releases. The process of rebuilding the exploit using the patch was documented, demonstrating the ongoing challenge of securing terminal emulators against such vulnerabilities.