Terminal escape injection in AWS CloudShell

We discussed this vulnerability as part of our weekly podcast on 18 May 2021

The vulnerability here is in libterm.js as used by AWS CloudShell. When handing the escape to get the Termcap/Terminfo string (+q) it’ll reflect the parameter right back into the respond. The problem there is the response is sent back via .send() which ultimately leads into the terminal’s input so by adding a newline into your param an attacker can escape the escape code and inject their own commands. An attacker in this case just needs to control output to the terminal, this can be from a curl or a cat or any other command.