New information has surfaced regarding a security flaw affecting the ‘wall’ command in the util-linux package. This flaw could potentially be exploited by malicious entities to reveal a user’s password or modify the clipboard on specific Linux distributions.
WallEscape: A New Threat
The vulnerability, identified as CVE-2024-28085, has been dubbed ‘WallEscape’ by cybersecurity expert Skyler Ferrante.
“The wall command in util-linux does not sanitize escape sequences from command line inputs,” explains Ferrante. “This permits non-privileged users to display arbitrary text on other users’ terminals, provided that mesg is enabled (‘y’) and wall has setgid permissions.”
This flaw was first introduced in a commit made in August 2013.
Understanding the ‘wall’ Command
The ‘wall’ command is used to broadcast a message to the terminals of all users currently logged into a server. This is particularly useful for users with higher permissions to alert crucial information to all local users, such as an impending system shutdown.
According to the Linux command manual, “wall exhibits a message, or the contents of a file, or its standard input, on the terminals of all currently logged-in users. Only the superuser can write on the terminals of users who have opted to reject messages or are using a program that automatically rejects messages.”
Exploiting CVE-2024-28085
CVE-2024-28085 takes advantage of inadequately sanitized escape sequences supplied via command line inputs to deceive users into generating a counterfeit sudo (superuser do) prompt on other users’ terminals and trick them into typing their passwords.
However, for this exploit to be successful, the mesg utility, which governs the ability to display messages from other users, must be enabled (‘y’), and the wall command must have setgid permissions.
Impacted Distributions
CVE-2024-28085 affects Ubuntu 22.04 and Debian Bookworm as these two conditions are satisfied. CentOS is not susceptible as the wall command does not have setgid.
“On Ubuntu 22.04, we have sufficient control to leak a user’s password by default,” Ferrante reveals. “The only sign of an attack to the user will be an incorrect password prompt when they correctly enter their password, along with their password appearing in their command history.”
Similarly, on systems that permit wall messages to be sent, an attacker could potentially modify a user’s clipboard through escape sequences on certain terminals like Windows Terminal. This exploit does not work on GNOME Terminal.
Recommended Mitigation
Users are urged to upgrade to util-linux version 2.40 to safeguard against this vulnerability.
According to the release notes, “[CVE-2024-28085] allows non-privileged users to display arbitrary text on other user’s terminals, if mesg is enabled and wall has setgid permissions. Not all distributions are affected (e.g., CentOS, RHEL, Fedora are not; Ubuntu and Debian wall is both setgid and mesg is enabled by default).”
Additional Security Concerns
This revelation coincides with security researcher notselwyn detailing a use-after-free vulnerability in the Netfilter subsystem in the Linux kernel that could be exploited to achieve local privilege escalation.
Assigned the CVE identifier CVE-2024-1086 (CVSS score: 7.8), the root cause of the issue is the failure to sanitize input of Netfilter verdicts, allowing a local attacker to cause a denial-of-service (DoS) condition or possibly execute arbitrary code. This issue has been addressed in a commit pushed on January 24, 2024.
