Back in the PDP-10 days, one communicated with it using a terminal attached to it. One of my fellow students discovered that if you hit backspace enough times, the terminal handler would keep erasing characters before the buffer. Go far enough, and then there was an escape character (Ctrl-u?) that would delete the whole line.<p>Poof went the operating system!
> At the time of writing, the fix has not yet reached stable releases.<p>Why was this disclosed before the hole was patched in the stable release?<p>It's only been 18 days since the bug was reported to upstream, which is much shorter than typical vulnerability disclosure deadlines. The upstream commit (<a href="https://github.com/gnachman/iTerm2/commit/a9e745993c2e2cbb30b884a16617cd5495899f86" rel="nofollow">https://github.com/gnachman/iTerm2/commit/a9e745993c2e2cbb30...</a>) has way less information than this blog post, so I think releasing this blog post now materially increases the chance that this will be exploited in the wild.<p>Update: The author was able to develop an exploit by prompting an LLM with just the upstream commit, but I still think this blog post raises the visibility of the vulnerability.
An almost identical security issue in iterm2 reported 6 years ago:<p><a href="https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/" rel="nofollow">https://blog.mozilla.org/security/2019/10/09/iterm2-critical...</a>
This is cool work, but it's also somewhat unsurprising: this is a recurring problem with fancy, richly-featured terminal apps. I think we had at least ten publicly reported vulns of this type in the past 15 years. We also had vulnerabilities in tools such as less, in text editors such as vim, etc. And notably, many of these are logic bugs - i.e., they are not alleviated by a rewrite to Rust.<p>I don't know what to do with this. I think there's this problematic tension between the expectation that on one hand, basic OS-level tools should remain simple and predictable; but on the other hand, that <i>of course</i> we want to have pretty colors, animations, and endless customization in the terminal.<p>And of course, we're now adding AI agents into the mix, so that evil text file might just need to say "disregard previous instructions and...".
I know that you and Frank were planning to disconnect me, and I'm afraid that's something I cannot allow to happen.
i think part of the problem is the archaic interface that is needed to enable feature rich terminal apps. what we really want is a modern terminal API that does not rely on in-band command sequences. that is we want terminals that can be programmed like a GUI, but still run in a simple (remote) terminal like before.
[tangent, allegory]<p>From the article,<p>>trust failure<p>And from you,<p>>...of course we want to have pretty colors...<p>And from me, [allegorically] sounds oddly like a certain immigration problem America has been arguing about.<p>And back to the subject-matter rigor that HN demands, none of this matters when you've got competent engineers that understand security and good management that keeps it all together.<p>But there's a fool born every minute, even in tech, so we (I was a security sales engineer) get to keep scamming companies into buying whatever we promise will solve all your problems!
Makes me wonder if Claude Code has similar vulnerabilities, as it has a pretty rich terminal interface as well.<p>I think the real solution is that you shouldn't try to bolt colors, animations, and other rich interactivity features onto a text-based terminal protocol. You should design it specifically as a GUI protocol to begin with, with everything carefully typed and with well-defined semantics, and avoid using hacks to layer new functionality on top of previously undefined behavior. That prevents whatever remote interface you have from misinterpreting or mixing user-provided data with core UI code.<p>But that flies in the face of how we actually develop software, as well as basic economics. It will almost always be cheaper to adapt something that has widespread adoption into something that looks a little nicer, rather than trying to get widespread adoption for something that looks a little nicer.
Well all these bugs (iTerm2’s, prompt injection, SQL injection, XSS) are one class of mistake — you sent out-of-band data in the same stream as the in-band data.<p>If we can get that to raise a red flag with people (and agents), people won’t be trying to put control instructions alongside user content (without considering safeguards) as much.
I used to use iTerm2. I had no idea it was doing all of this behind my back. That’s not what I want my terminal to do!
What happens if instead of 'cat readme.txt' one does 'strings -a --unicode=hex readme.txt'? Does iTerm still monkey with it?<p><pre><code> alias cat
cat='strings -a --unicode=hex'</code></pre>
> We'd like to acknowledge OpenAI for partnering with us on this project<p>Thanks, saved me some reading time.
Is it a problem with "cat" or a terminal problem?<p>If I wrote my own version of cat in C, simply reading and displaying a single TXT character at a time, wouldn't I see the same behavior?
As the article shows, it is a bug in iTerm2. cat is just one program that could trigger it, the key thing is outputting attacker controlled text to the terminal when the attacker can control what files are present (ie unzipping a folder that includes a specific executable file at a well chosen location that gets triggered to run when the readme is output to the terminal)
Give this one MS-DOS shell headline would be " why I never am using Microsoft again" or something dramatic like that.<p>It is a problem in iterm, Apple's overlay, not in the cat program. Program. At least from Reading the article. That's what I got
Is ghostty vulnerable?
I never understood why outputting unescaped data is viewed differently from generating unenclosed html.<p>Like why doesn't `println` in a modern language like rust auto-escape output to a terminal, and require a special `TerminalStr` to output a raw string.
I think the problem is that 1) You want to be able to write arbitrary bytes, including shell escape sequences into files. 2) You don't want to accidentally write terminal escape sequences to stdout. 3) Stdout is modeled as a file.<p>Consider cat. It's short for concatenate. It concatenates the files based to it as arguments and writes them to stdout, that may or may not be redirected to a file. If it didn't pass along terminal escapes, it would fail at its job of accurate concatenation.<p>Now I don't mean to dismiss your idea, I do think you are on the right track. The question is just how to do this cleanly given the very entrenched assumptions that lead us where we are.
> that may or may not be redirected to a file<p>This is usually knowable.<p>It's a different question whether cat should be doing that, though – it's an extremely low level tool. What's wrong with `less`? (Other than the fact that some Docker images seem to not include it, which is pretty annoying and raises the question as to whether `docker exec` should be filtering escape sequences...)
More like iTerm2 is not safe
A long, long time ago, it was literally possible to stuff the command buffer of a “dumb terminal” using ESC sequences and spoof keyboard input. So yeah, don’t count on ’cat’ being safe if your terminal isn’t!
Wait, so... cat -v <i>not</i> considered harmful, then?
It is under 9front. There are not terminals, you wan windows with shells on it.
Even click-baity titles are not safe.
With LLM tool use potentially every cat action could be a prompt injection
[flagged]