At G-Research we have many developers using different tools for their work, and this includes many different terminals. Our open source team decided it was worth spending time looking for security issues in various terminals and related programs.
The result of this research was finding multiple remote code execution issues in terminals across nearly all platforms, including mobile phones.
Background
The terminal is what displays the text and even graphics when you interact with a command line (for example bash or Zsh on Unix systems), which runs inside the terminal and is the primary tool you interact with. Different terminals have many different features, even including full graphics (via Sixel), sounds (DECPS, as implemented in DEC hardware terminals and now supported by Windows Terminal) and more.
Terminals use escape characters to support more than plain text, for example, in “\e[31m”, where “\e” is a literal ASCII escape character, the text will turn red.
As well as setting colour, terminals have escape sequences that reply with certain strings. Often these are not user controllable, for example the size of the terminal in characters. However, in some cases these are user controllable, or reply with a certain string that in an unexpected context can be misinterpreted by the program running in the terminal.
In order for these to be exploitable an attacker needs the ability to write raw unescaped text to the terminal, as well as either a bug in the terminal, or an escape sequence that results in a suitable string being written back.
The most notable previous work in this space was by HD Moore in 2003, where he discovered that the “report title” sequence in xterm could be combined with the ability to set the title and then essentially run commands (CVE-2003-0063).