Details have emerged about a vulnerability affecting the “wall” command of the util-linux package, which could be exploited by bad actors to reveal user passwords or alter the clipboard on some Linux distributions.
This vulnerability is numbered CVE-2024-28085 and codenamed escape wall Presented by security researcher Skyler Ferrante. It is described as a situation where escape sequences are not properly neutralized.
“The util-linux wall command does not filter escape sequences from command-line arguments,” Ferrante said. “If mesg is set to “y” and wall is set to setgid, then an unprivileged user is allowed to place arbitrary text on other users’ terminals.”
The vulnerability was introduced as part of an August 2013 commit.
The “wall” command is used to write a message to the terminals of all users currently logged into the server, essentially allowing users with elevated privileges to broadcast critical information (for example, a system shutdown) to all local users.
“wall displays messages, file contents, or standard input on all terminals of the currently logged-in user,” the man page for the Linux command reads. “Only superuser can reject messages on the terminals of users who have chosen to reject messages or who are using a program that automatically rejects messages. Write to the terminal.”
CVE-2024-28085 essentially exploits improperly sanitized escape sequences provided via command line arguments to trick users into creating fake SUDO prompts on other users’ terminals and tricking them into entering their passwords.
However, to implement this functionality, the mesg utility (which controls the ability to display messages from other users) must be set to “y” (ie enabled), and the wall command executed with setgid permissions.
CVE-2024-28085 affects Ubuntu 22.04 and Debian Bookworm because both conditions are met. CentOS, on the other hand, is not vulnerable because the wall command does not have setgid.
“On Ubuntu 22.04, we have enough control to default to leaking user passwords,” Ferrante said. “The only indication of an attack on the user is that when the user enters the password correctly, an incorrect password prompt appears and the password is in the command history.”
Likewise, on systems that allow wall messaging, an attacker could alter a user’s clipboard via escape sequences on selected terminals, such as Windows Terminal. It does not work with GNOME Terminal.
Users are recommended to update to util-linux version 2.40 to mitigate this flaw.
“[CVE-2024-28085] According to the release notes, if mesg is set to y and *wall is set to setgid*, then unprivileged users are allowed to place arbitrary text on other users’ terminals. “Not all distributions will be affected (for example, CentOS, RHEL, Fedora will not; Ubuntu Debian wall’s setgid and mesg default to y).
The revelation comes as security researcher notselwyn details a use-after-free vulnerability in the netfilter subsystem in the Linux core that can be exploited to achieve local privilege escalation.
Assigned CVE identifier CVE-2024-1086 (CVSS score: 7.8), the root issue stems from a failure in input sanitization of netfilter decisions, which could allow a local attacker to cause a denial of service (DoS) condition or possibly execute arbitrary code. The issue was resolved in a commit pushed on January 24, 2024.
