iTerm2 Flaw Abuses SSH Integration Escape Sequences to Turn Text Into Code Execution

Cybersecurity researchers, working in partnership with OpenAI, have uncovered a fascinating and severe vulnerability in iTerm2, a widely used macOS terminal emulator.

According to Califio, the flaw abuses the application’s SSH integration feature, allowing attackers to turn seemingly harmless text output into local remote code execution (RCE).

Simply viewing a maliciously crafted text file can trigger the exploit. To grasp how this exploit works, it helps to understand iTerm2’s SSH integration.

Rather than unthinkingly typing commands into a remote shell, iTerm2 deploys a tiny helper script, the “conductor,” to the remote machine.

This script communicates with iTerm2 to coordinate tasks like discovering the login shell, changing directories, and uploading files. Crucially, this protocol does not use a separate network service.

The Califio research team explains that the conductor script operates inside the remote shell session, and all communication is carried over normal terminal input/output (I/O) via the pseudoterminal (PTY).

The vulnerability stems from a fundamental trust failure. iTerm2 accepts the SSH conductor protocol from any terminal output, even if it does not originate from a verified, trusted conductor session.

This means that untrusted terminal output can effectively impersonate the remote conductor by using specific terminal escape sequences:

• DCS 2000p is used to forge a hook into the SSH conductor.
• OSC 135 is used to send fake replies and messages back to iTerm2.

If an attacker hides these sequences in a text file, server response, or Message of the Day (MOTD), rendering that text triggers the flaw.

For example, simply running cat readme.txt on a compromised file will print the forged sequences to the screen, tricking iTerm2 into believing it has initiated a legitimate SSH integration exchange.

PTY Confusion and Exploitation

Califio highlights that iTerm2 accepts the fake conductor hook; it automatically begins its standard workflow, sending requests to verify shell environments and Python versions.

Because the malicious text file acts as a fake transcript, it feeds iTerm2 precise replies that push the terminal emulator down its fallback execution path.

Believing it’s communicating with a remote server, iTerm2 constructs a command execution request using attacker-controlled sshargs, writing the commands to the PTY as base64-encoded strings.

However, because there is no actual SSH connection routing the data to a remote machine, the local shell receives these base64 commands as plain local input.

The exploit relies on carefully formatting the sshargs payload so that the final base64-encoded chunk translates into a valid local file path, such as ace/c+aliFIo.

If the attacker places an executable payload at that specific relative path, the terminal interprets the base64 string as a local command and unknowingly executes the malware.

The Califio reported the flaw to iTerm2 on March 30, with a fix committed the next day, though it hasn’t yet reached stable releases.

Until the patched version is distributed to the public, users should exercise extreme caution when reading untrusted text files or connecting to unfamiliar SSH servers, as these may serve malicious terminal output.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.