CVE CyberSecurity Database News

CVE-2022-45872 - Exploiting iTerm2’s DECRQSS Mishandling Before 3.4.18

Poster -

iTerm2 is a popular terminal emulator for macOS, used by countless developers and system admins. But sometimes, even the best tools have their flaws. Before version 3.4.18, iTerm2 contained a vulnerability known as CVE-2022-45872, which mishandles certain escape sequences—specifically the DECRQSS response—from your terminal. In this article, we’ll break down what that means, how the exploit works (with code you can test safely), and why you should care.

What is DECRQSS and Why Does it Matter?

Terminals like iTerm2 support dozens of *escape codes*—special commands that applications and scripts use to ask the terminal to do things, like changing colors or moving the cursor. One such code is DECRQSS, which stands for “Request Status String”. When something sends this code, the terminal responds with a string that could include sensitive details.

The issue in iTerm2 before 3.4.18 is that a remote program (or even text you paste into the terminal!) could send a specially-crafted escape code that tricks the terminal into leaking information or causing unexpected behavior.

The Root Cause: Mishandling Responses

Normally, terminals validate that the response to a DECRQSS request can’t do anything harmful. However, before iTerm2 version 3.4.18, this check was incomplete—which means an attacker could inject additional escape sequences into the reply. If your terminal processed that reply, it could actually perform arbitrary actions.

Sadly, this problem was easy to overlook because escape characters are invisible—the risk hides in plain sight.

Proof of Concept: See the Problem in Action

Let’s try a harmless example (DO NOT paste random code from strangers into your terminal unless you trust it).

Here’s a malicious string that could exploit unpatched iTerm2 by sending a DECRQSS request that injects an extra escape command:

echo -e '\eP$q q\e\\'

But here is an example crafted to abuse the mishandling by injecting \e]2;Hacked!\a which sets the terminal window’s title to "Hacked!":

echo -e '\eP$q q\e\e]2;Hacked!\a\\'

However, the attacker slyly adds \e]2;Hacked!\a which is an escape code for renaming the terminal.

If you’re running iTerm2 before 3.4.18 and you paste this in, your terminal window title will change—demonstrating the exploit.

Why is This Dangerous?

While changing your window title is mostly harmless, this vulnerability opens the door to worse attacks. For example, an attacker could trick you into running code that:

How Was it Fixed?

The iTerm2 team patched this bug in version 3.4.18, making sure that any responses to DECRQSS requests are properly sanitized -- meaning, they can no longer sneak in escape codes.

Release note

> Properly sanitize the response to DECRQSS requests to avoid command injection via terminal output.

How to Stay Safe

1. Update iTerm2: If you haven’t updated yet, grab the latest version from iTerm2’s website or through Homebrew:

`

2. Be careful with what you paste: Even after this bug, many terminal vulnerabilities work by you pasting malicious text. Don’t copy and paste from untrusted sources!

3. Watch terminal security reports: Keep an eye on iTerm2’s GitHub issues or security mailing lists.

Original References

- CVE-2022-45872 on NIST NVD
- iTerm2 v3.4.18 Release Notes
- Mitre CVE Entry

Conclusion

CVE-2022-45872 is a great example of why terminal security is important. Even little issues can have consequences—especially when common tools are involved. Always keep your software up to date, don’t trust random pasted code, and pay attention to the security updates!

Timeline

Published on: 11/23/2022 22:15:00 UTC
Last modified on: 11/30/2022 20:39:00 UTC