This paper reflects work done in late 2022 and 2023 to audit for vulnerabilities in terminal emulators, with a focus on open source software. The results of this work were 10 CVEs against terminal emulators that could result in Remote Code Execution (RCE), in addition various other bugs and hardening opportunities were found. The exact context and severity of these vulnerabilities varied, but some form of code execution was found to be possible on several common terminal emulators across the main client platforms of today.
Additionally several new ways to exploit these kind of vulnerabilities were found.
This is the full technical write-up that assumes some familiarity with the subject matter, for a more gentle introduction see my post on the G-Research site.
Some light reading for the weekend.
These researchers focus on software with open source code because it is readily available, but this type of thing is very normal in proprietary software too. Take a typical enterprise project in unsafe language that has had countless employees committing code, you are almost guaranteed to find numerous bugs & vulnerabilities. Many companies don’t appreciate developers auditing code and finding bugs because it balloons the costs for projects that PMs under-budgeted. One of the companies I worked at had so many known bugs that they simply decided not to fix them anymore until they got reported by customers, haha. I laugh at it now, but it really irked me.