CVE-2024-23749: 
NixOS vulnerability analysis and mitigation

KiTTY versions 0.76.1.13 and before are vulnerable to command injection via the filename variable in the GetOneFile function. The vulnerability was introduced in the original release in May 2021 and affects all versions up to KiTTY ≤ 0.76.1.13 in their default configuration. The issue occurs due to insufficient input sanitization and validation, failure to escape special characters, and insecure system calls (DEFCESCO Blog, SecurityOnline).

The vulnerability resides within the kitty.c file, specifically in the GetOneFile function at lines 2369-2390. When KiTTY encounters the ANSI escape sequence \033]0;__rv, it interprets it as an instruction to transfer files using Putty Secure Copy Protocol (PSCP). The vulnerability stems from insufficient input validation where the filename variable is concatenated to a buffer and then executed using system() calls without proper sanitization (DEFCESCO Blog).

The vulnerability allows attackers to execute arbitrary code with the privileges of the user running KiTTY. Since KiTTY operates within the standard user permission group by default, successful exploitation could lead to unauthorized access and control over the affected system. The vulnerability affects users across Windows 11, 10, 8, 7, and XP operating systems (SecurityOnline).

Despite the discovery of the vulnerability and attempts to contact the maintainer, there has been no response from KiTTY's maintainer Cyril Dupont. The vulnerability was initially reported on January 8, 2024, followed by a follow-up email on January 28, 2024, before public disclosure on February 7, 2024 (DEFCESCO Blog).