Details have emerged about a vulnerability impacting the “wall” command of the util-linux package that could be potentially exploited by a bad actor to leak a user’s password or alter the clipboard on certain Linux distributions.
The bug, tracked as CVE-2024-28085, has been codenamed WallEscape by security researcher Skyler Ferrante. It has been described as a case of improper neutralization of escape sequences.
“The util-linux wall command does not filter escape sequences from command line arguments,” Ferrante said. “This allows unprivileged users to put arbitrary text on other users’ terminals, if mesg is set to “y” and wall is setgid.”
“wall displays a message, or the contents of a file, or otherwise its standard input, on the terminals of all currently logged in users,” the man page for the Linux command reads. “Only the superuser can write on the terminals of users who have chosen to deny messages or are using a program which automatically denies messages.”
CVE-2024-28085 essentially exploits improperly filtered escape sequences provided via command line arguments to trick users into creating a fake sudo (aka superuser do) prompt on other users’ terminals and trick them into entering their passwords.
However, for this to work, the mesg utility – which controls the ability to display messages from other users – has to be set to “y” (i.e., enabled) and the wall command has to have setgid permissions.
CVE-2024-28085 impacts Ubuntu 22.04 and Debian Bookworm as these two criteria are met. On the other hand, CentOS is not vulnerable since the wall command does not have setgid.
“[CVE-2024-28085] allows unprivileged users to put arbitrary text on other users terminals, if mesg is set to y and *wall is setgid*,” according to the release notes. “Not all distros are affected (e.g., CentOS, RHEL, Fedora are not; Ubuntu and Debian wall is both setgid and mesg is set to y by default).”
The disclosure comes as security researcher notselwyn detailed a use-after-free vulnerability in the netfilter subsystem in the Linux kernel that could be exploited to achieve local privilege escalation.
Source: https://thehackernews.com/