On March 15, 2024, GNOME released an update for libvte that fixed a memory consumption vulnerability, now known as CVE-2024-37535. This vulnerability affects many popular terminal emulators such as GNOME Terminal, XFCE Terminal and MATE Terminal that use libvte version 0.76.2 or older. This vulnerability can be exploited by an attacker to kill the Xorg session, which will cause the victim to lose all of their unsaved work.
Many terminal emulators, such as XFCE Terminal, iTerm2 and Windows Terminal, support ANSI escape and Operating System Command (OSC) sequences. These sequences allow the user to change the colors of the terminal, format the text, and make changes to the terminal emulator itself. For example, a simple ANSI escape sequence can make the word "GREEN" (Norwegian: "GRØNT") appear in green color.
The use of OSC sequences often varies depending on the terminal emulator. For example, in the terminal emulator Kitty you can transfer files through the TTY protocol, which is not possible in most others. But in terminal emulators such as GNOME Terminal, XFCE Terminal and MATE Terminal, which are based on the old XTerm, you can use OSC sequences to adjust the size of the terminal window itself, as shown in the image below.
In the OSC sequence \e[4;W;Ht, W represents the width and H the height of the window. The libvte library controls the size of the terminal window through these sequences. The width and height are stored as int16, where 32767 is the largest number supported.
Since window size adjustment requests via OSC sequences are not validated, an attacker can send values that exceed the int16 limit. A malicious sequence such as \e[4;65535;65535t will cause memory to be exhausted, causing the Xorg window server to crash with a segmentation fault, as shown in the log below
An attacker can deliver this malicious sequence through a number of tools that parse escape sequences, such as curl, cat and head. For example, the attacker can
place the sequence on a web page and entice the victim to use curl to retrieve the content or put the sequence in a text file that the victim can read with cat or head. In addition, it is also possible to use the ANSI escape injection vulnerability in WinRAR (CVE-2024-33899) to deliver the sequence.
As demonstrated in the video below, exploitation of this vulnerability can lead to the user's session being interrupted, which can then lead to loss of unsaved work.