A vulnerability in BusyBox, the lightweight toolkit found in millions of Linux devices, containers, and even Windows Subsystem for Linux (WSL), can let attackers hijack your terminal using nothing more than a malicious DNS record. When you run a simple network tool like netstat, a carefully crafted hostname sent by a remote server can inject invisible commands that change your terminal’s colors, spoof legitimate output, or—under the right conditions—execute arbitrary code on your machine. The bug, tracked as CVE-2022-28391, was disclosed in April 2022, but its implications are still rippling through systems that haven’t been patched, and Windows users are not immune.
What Just Happened
BusyBox is a collection of common Unix utilities bundled into one small executable, used everywhere from routers and smart cameras to Docker containers and the Linux environments that ship inside Windows. The netstat command inside BusyBox shows active network connections and, by default, tries to resolve IP addresses to hostnames using reverse DNS (PTR records). The problem: when printing those hostnames, some versions of BusyBox don’t strip out non-printable characters, including escape sequences that terminals interpret as commands.
If a remote server responds with a PTR record containing an ESC character (0x1B) followed by specially formatted text, your terminal will act on those instructions. That can mean anything from garish color changes and cursor movement to clipboard injection via OSC 52 sequences—a feature many modern terminals support, including Windows Terminal, which can allow an attacker to feed arbitrary commands into your clipboard, ready for pasting. In worst-case scenarios, chained with other terminal features or helper programs, this can lead to full command execution.
The vulnerability affects BusyBox versions through 1.35.0, and it was first spotted and patched by Alpine Linux maintainers. The security community quickly noted that the risk depends heavily on build options: BusyBox compiled against the musl C library (common in Alpine and minimal systems) is reliably exploitable, while builds against glibc may not exhibit the same behavior. Nevertheless, multiple distribution trackers and the Microsoft Security Response Center (MSRC) published advisories, with the flaw rated High severity due to its potential for complete denial of service and the ease of exploitation.
Why Your Windows Terminal Is at Risk
Modern Windows terminals—the default Windows Terminal app, ConEmu, Alacritty, even the legacy console host—all support ANSI escape sequences by default. This is great for colorful command outputs, but it also means they will happily execute any escape sequence that comes through from a remote source, including those injected via BusyBox’s unsanitized output.
If you’re a Windows user who:
- Runs WSL and uses BusyBox tools inside it,
- SSHes into Linux servers from Windows and runs netstat or similar commands,
- Uses Docker Desktop with containers that include BusyBox,
you could be tricked by a malicious terminal display. An attacker with control over a DNS server (or able to poison DNS) could set up a PTR record for their IP address that contains escape sequences. When you investigate network connections with netstat and that IP shows up, your terminal becomes their canvas.
That’s not just an annoyance. Spoofed output can trick you into making dangerous configuration changes, clearing logs, or typing commands you didn’t intend. If the terminal supports OSC 52 clipboard operations, an attacker might inject text into your clipboard, which you then paste into a shell, effectively executing their commands. While many terminal emulators now disable clipboard injection by default or require user confirmation, not all do, and some users have overridden those protections for convenience.
Who Should Be Concerned
Home Users and WSL Enthusiasts
If you dabble with WSL, you might have BusyBox installed without realizing it. Many Docker images pull in a BusyBox layer, and if you’re a developer or hobbyist who runs netstat or similar tools interactively, you’re exposed. The attack doesn’t require you to do anything special—just running netstat, nslookup, or traceroute from BusyBox on a system that has connections from an attacker’s server could trigger the vulnerability. Since Windows Terminal is the default for WSL and supports ANSI, you’re in the blast zone.
IT Administrators and DevOps
You’re the most likely target. Remote attackers who want to compromise networks often focus on tricking admins. A carefully crafted PTR record on a seemingly benign IP could be placed in logs, and when an admin checks connections, the terminal goes haywire. Even if code execution doesn’t occur, the confusion and downtime from a hijacked terminal session can be disruptive. Plus, many monitoring and orchestration tools rely on BusyBox inside containers, and they may be regularly printing DNS data to terminals or logs that get viewed. Patch all BusyBox instances in your infrastructure—especially those built with musl (like Alpine-based containers).
Embedded Systems and IoT Operators
You might not think of Windows here, but if you manage routers, cameras, or other IoT devices from your Windows desktop via SSH or web consoles, and those devices run BusyBox (very common), they could be vulnerable. While the attack requires an interactive terminal display—meaning an admin viewing netstat—the risk is real when troubleshooting network issues. Ensure your device firmware is updated, and consider using alternative tools for network inspection that sanitize output.
The Technical Details (Without the Jargon)
Terminals that follow the VT100/ANSI standard interpret special character sequences as commands. For example, pressing ESC followed by [31m turns text red. More powerful sequences let you move the cursor, clear the screen, or tell the terminal to send data to other programs. BusyBox’s netstat, when it prints a PTR record, doesn’t check whether the hostname contains these special characters—it just spits them out. If you’re viewing the output in a terminal, the terminal obeys.
The attack flow:
1. An attacker sets up a DNS PTR record for their IP address with a value like \\x1b[31mMALICIOUS\\x1b[0m (which would turn text red) or more dangerous sequences that interact with advanced terminal features.
2. You run busybox netstat or a similar tool that performs reverse DNS lookups on connected IPs.
3. The crafted hostname is printed directly to your terminal.
4. Your terminal interprets the escape sequences and may change colors, execute commands, or corrupt the display.
Under musl-based BusyBox builds, the printf functions handle output differently, allowing the raw bytes to pass through unescaped. In glibc, certain printf implementations may filter or escape control characters, providing some accidental protection, but it’s not guaranteed.
How We Got Here
BusyBox has been a cornerstone of embedded Linux for over two decades, prized for its tiny footprint and versatility. But that very versatility means it often gets tossed into container images and minimal distributions without much thought to security patching. Terminal escape injection isn’t new: for years, security researchers have warned about displaying untrusted data in terminals, from curl piping bash to malicious log files containing escape codes. Yet the DNS PTR angle is particularly sneaky because admins rarely suspect that viewing a hostname could be dangerous.
The vulnerability was disclosed in April 2022. Alpine Linux, which uses musl and BusyBox heavily, quickly produced patches to sanitize the output of network tools, stripping out non-printable characters and limiting how hostnames could be printed. The patches were shared on the BusyBox mailing list for upstream inclusion, but as of mid-2023, many downstream builds remain unpatched because the fix hasn’t been universally adopted into the main BusyBox source tree. The MSRC advisory reinforced the severity, especially for availability impact—an attacker could render a terminal completely unusable, forcing a reboot or restart of the session.
What to Do Right Now
For Windows Users
- Check your WSL environment: Run
busybox | head -1in WSL to see if you have BusyBox and which version. If it’s 1.35.0 or earlier, you’re potentially vulnerable. - Update BusyBox: In WSL, use your Linux distribution’s package manager to update:
sudo apt update && sudo apt upgrade busybox(for Debian/Ubuntu) orsudo apk update && sudo apk upgrade busybox(for Alpine). Rebuild any Docker images that include BusyBox layers. - Temporarily avoid interactive netstat: Until patched, don’t run
netstatornslookupfrom BusyBox in a terminal where you could be targeted. Instead, redirect output to a file and view it withcat -vto escape non-printable characters. - Harden your terminal: In Windows Terminal settings, under “Interaction,” consider disabling “Allow applications to write to the clipboard” if you’re concerned about clipboard injection. In other terminals, look for settings that disable OSC 52 or restrict escape sequence processing.
For System Administrators
- Inventory all BusyBox instances: Scan containers, VMs, and appliances for BusyBox binaries. Use
docker scanor vulnerability scanners that can detect the version. - Apply vendor patches: Check your distribution’s advisory. For Alpine, install
busybox>=1.34.1-r7or later. For others, follow vendor guidance. If no patch is available, consider replacing BusyBox with alternative tools (likeiproute2for network stats) or building a patched BusyBox from source. - Monitor for anomalous DNS PTR records: Use intrusion detection rules to flag PTR responses containing escape sequences (ESC character). Snort or Suricata rules can look for
\\x1bin DNS response data. - Train staff: Alert your IT team that viewing network connections from BusyBox can be dangerous; they should use sanitized output methods or patched tools.
For Developers
- Sanitize output in your own tools: If you write code that prints potentially untrusted data to terminals, use a library or routine to strip non-printable characters. Even if you’re not using BusyBox, the lesson applies universally.
- Use minimal base images that are patched: When building Docker images, specify a fixed version of BusyBox or switch to an alternative like
busybox:1.35.0-musl-fixedif available. Regularly scan your registries for known vulnerable images.
The Long-Term Outlook
The BusyBox community will eventually merge the escaping patches into the main branch, but until then, the burden is on distribution maintainers and end users to patch. This vulnerability is a stark reminder that terminal displays are not passive; they are interpreters that can be exploited by data from anywhere on the network. Expect to see more terminal hardening—both in emulators and in the tools that output to them. For Windows users, the increasing integration of Linux tools means staying vigilant about cross-platform vulnerabilities like this one. Patch now, sanitize output, and treat your terminal as the powerful executable it really is.