Hi, I discovered iTerm2 versions 3.5.0 and 3.5.1 (and some beta versions) have a bug where the preference for whether title reporting is enabled is not respected -- the result is title reporting is always enabled*.
This is fixed by iTerm2 3.5.2, available from https://iterm2.com/downloads.html -- automatic updates should prompt you to install this version. There is no CVE yet, this is essentially another variant of CVE-2003-0063... To test if you're vulnerable: printf '\e]0;ivulnerable\a\e[21t' If you have some of all of the string "vulnerable" (but not just "l") in your input buffer, you're vulnerable. (You can also test via ssh termtest.dgl.cx, which does a variant of the above test and others over SSH, source code at https://github.com/dgl/vt-houdini.) This is not trivially exploitable (at least in a way that works without user interaction), as it is not possible to echoback a newline or control characters. However as Zsh is the default shell on macOS it may be possible to use some of the vi techniques like I used in xterm CVE-2022-45063[1]. Some of the techniques in solid-snail's previous iTerm2 research[2] could apply too. So treat this as potential remote code execution. David *: Unless you change the advanced setting "Disable potentially insecure escape sequences" -- which works as a mitigation too, but disables shell integration and some other features. [1]: https://www.openwall.com/lists/oss-security/2022/11/10/1 [2]: https://blog.solidsnail.com/posts/2023-08-28-iterm2-rce
