Details have emerged about a vulnerability affecting the “wall” command of the util-linux package that could potentially be exploited by an attacker to leak a user’s password or alter the clipboard on some Linux distributions.
The bug, identified as CVE-2024-28085, has a code name WallEscape by security researcher Skyler Ferrante. It has been described as a case of improper neutralization of escape sequences.
“The wall util-linux command does not filter escape sequences from command line arguments,” Ferrante said. “This allows unprivileged users to insert arbitrary text onto other users’ terminals, if mesg is set to “y” and wall is setgid.”
The vulnerability was introduced as part of an effort carried out in August 2013.
The “wall” command is used to write a message to the terminals of all users who are currently connected to a server, essentially allowing users with elevated permissions to broadcast key information to all local users (e.g., a system crash) .
“wall displays a message, or the contents of a file, or otherwise its standard input, on the terminals of all currently logged in users,” the Linux command’s man page reads. “Only the superuser can write to the terminals of users who have chosen to deny messages or who use a program that automatically denies messages.”
CVE-2024-28085 essentially exploits improperly filtered escape sequences provided via command-line arguments to trick users into creating a fake SUDO prompt on other users’ terminals and tricking them into entering their passwords.
However, for this to work, the mesg utility – which controls the ability to display messages from other users – must be set to “y” (i.e. enabled) and the wall command run with setgid permissions.
CVE-2024-28085 affects Ubuntu 22.04 and Debian Bookworm because these two criteria are met. On the other hand, CentOS is not vulnerable since the wall command has no setgid.
“On Ubuntu 22.04, we have enough control to leak a user’s password by default,” Ferrante said. “The only indication of attack to the user will be an incorrect password prompt when they type the password correctly, along with the password in the command history.”
Similarly, on systems that allow sending wall messages, an attacker could potentially alter a user’s clipboard through escape sequences on selected terminals such as Windows Terminal. Does not work on GNOME terminal.
Users are advised to update to util-linux version 2.40 to mitigate the flaw.
“[CVE-2024-28085] allows unprivileged users to insert arbitrary text on other users’ terminals, if mesg is set to y and *wall is setgid*,” according to the release notes. “Not all distributions are affected (e.g., CentOS, RHEL, Fedora they are not; Ubuntu and Debian wall is setgid and mesg is set to y by default).”
The revelation comes as security researcher notselwyn detailed a use-after-free vulnerability in the netfilter subsystem in the Linux kernel that could be exploited to achieve local privilege escalation.
Assigned the CVE identifier CVE-2024-1086 (CVSS score: 7.8), the underlying issue stems from the failure to sanitize netfilter verdict inputs, allowing a local attacker to cause a denial of service condition ( DoS) or possibly execute arbitrary code. It was resolved in a commit posted on January 24, 2024.