Terminal escape injection in AWS CloudShell
Original Post:
We discussed this vulnerability during Episode 77 on 18 May 2021
The vulnerability here is in libterm.js as used by AWS CloudShell. When handing the escape to get the Termcap/Terminfo string (+q) it’ll reflect the parameter right back into the respond. The problem there is the response is sent back via .send() which ultimately leads into the terminal’s input so by adding a newline into your param an attacker can escape the escape code and inject their own commands. An attacker in this case just needs to control output to the terminal, this can be from a curl or a cat or any other command.