Critical iTerm2 Flaw (CVE-2024-27324) Allows Remote Code Execution
Key Takeaways A critical vulnerability, CVE-2024-27324, has been discovered in iTerm2, a popular macOS terminal emulator. The flaw allows remote code execution (RCE) by tricking iTerm2’s SSH...
Key Takeaways
- A critical vulnerability, CVE-2024-27324, has been discovered in iTerm2, a popular macOS terminal emulator.
- The flaw allows remote code execution (RCE) by tricking iTerm2’s SSH integration feature, even from seemingly benign text output.
- Simply viewing a specially crafted text file or server response can trigger the exploit, leading to local code execution.
- A patch has been developed but is not yet widely available in stable releases.
Cybersecurity researchers, in collaboration with OpenAI, have identified a significant vulnerability, tracked as CVE-2024-27324, within iTerm2, a widely used terminal emulator for macOS. This severe flaw poses considerable security risks, potentially enabling remote code execution (RCE) on affected systems.
Table Of Content
According to findings from Califio, the vulnerability exploits iTerm2’s SSH integration mechanism. Attackers can leverage this feature to transform what appears to be innocuous text output into a means for executing arbitrary code locally on the victim’s machine.
The core of the exploit lies in its ability to be triggered merely by displaying a maliciously crafted text file. Understanding iTerm2’s SSH integration is crucial to comprehending how this attack unfolds.
Instead of direct command input into a remote shell, iTerm2 employs a small helper script, referred to as the “conductor,” which is deployed to the remote machine. This conductor script facilitates communication with iTerm2, coordinating tasks such as identifying the login shell, navigating directories, and uploading files. Importantly, this communication protocol does not rely on a separate network service.
The Califio research team elaborated that the conductor script operates within the remote shell session itself, with all communication occurring over standard terminal input/output (I/O) via the pseudoterminal (PTY).
The vulnerability arises from a fundamental lapse in trust. iTerm2 accepts the SSH conductor protocol from any terminal output, regardless of whether it originates from a verified and trusted conductor session. This critical oversight means that untrusted terminal output can effectively impersonate a legitimate remote conductor by embedding specific terminal escape sequences:
- DCS 2000p is utilized to forge a hook into the SSH conductor.
- OSC 135 is employed to transmit fabricated replies and messages back to iTerm2.
Should an attacker embed these sequences within a text file, a server’s response, or even a Message of the Day (MOTD), the act of rendering this text will trigger the vulnerability.
For instance, executing a simple command like cat readme.txt on a compromised file will display these forged sequences on the screen. This action deceives iTerm2 into believing it has initiated a legitimate SSH integration exchange, setting the stage for the exploit.
PTY Confusion and Exploitation
Califio’s analysis highlights that upon accepting the fake conductor hook, iTerm2 automatically commences its standard workflow, sending requests to verify shell environments and Python versions. Since the malicious text file acts as a fabricated transcript, it provides iTerm2 with precise replies that guide the terminal emulator down its fallback execution path.
Under the mistaken belief that it is communicating with a remote server, iTerm2 constructs a command execution request using attacker-controlled sshargs. These commands are then written to the PTY as base64-encoded strings.
However, because there is no actual SSH connection routing this data to a remote machine, the local shell receives these base64 commands as plain local input. The exploit hinges on meticulously formatting the sshargs payload such that the final base64-encoded chunk translates into a valid local file path, such as ace/c+aliFIo.
If the attacker has pre-positioned an executable payload at this specific relative path, the terminal will interpret the base64 string as a local command and inadvertently execute the malicious software.
Califio reported this flaw to iTerm2 on March 30, with a fix committed the following day. However, this patch has not yet been incorporated into stable public releases.
What You Should Do
- Update iTerm2 immediately once a stable patched version is released.
- Exercise extreme caution when opening or viewing untrusted text files, especially those from unknown sources or email attachments.
- Be wary of connecting to unfamiliar SSH servers, as they may deliver malicious terminal output designed to exploit this vulnerability.
- Consider temporarily disabling iTerm2’s SSH integration features if your workflow allows, until the patch is widely available.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.