GoKawiilIn a previous post about AI-discovered bugs in Vim and Emacs, we looked at how seemingly harmless workflows could cross a surprising line into code execution. This time we wanted to push that idea even further: is cat readme.txt safe?
It turns out that it is NOT, if you use iTerm2.
That looks insane until you understand what iTerm2 is trying to do for a legitimate feature, how it uses the PTY, and what happens when terminal output is able to impersonate one side of that feature's protocol.
We'd like to acknowledge OpenAI for partnering with us on this project.
Background: iTerm2's SSH integration
iTerm2 has an SSH integration feature that gives it a richer understanding of remote sessions. To make that work, it does not just "blindly type commands" into a remote shell. Instead, it bootstraps a tiny helper script on the remote side called the conductor.
The rough model is:
iTerm2 launches SSH integration, usually through it2ssh . iTerm2 sends a remote bootstrap script, the conductor, over the existing SSH session. That remote script becomes the protocol peer for iTerm2. iTerm2 and the remote conductor exchange terminal escape sequences to coordinate things like: discovering the login shell
checking for Python
changing directories
... continue reading