Information has been disclosed regarding a security flaw within the "wall" function of the util-linux suite, which could be exploited by malicious entities to disclose a user's password or manipulate the clipboard content on specific Linux systems.
The vulnerability, identified as CVE-2024-28085, has been given the name WallEscape by the cybersecurity researcher Skyler Ferrante. It's characterized by inadequate cleansing of escape characters.
Skyler Ferrante noted, "The wall function in util-linux fails to sanitize escape characters from the input provided via command line, enabling users without privileges to display any text on the terminal screens of other users, given that the mesg setting is enabled ('y') and wall possesses setgid permissions."
This issue originated from a code update in August 2013.
Cybersecurity The purpose of the "wall" command is to allow the posting of messages to the terminals of all logged-in users on a server, which is crucial for broadcasting important announcements to all users locally (for instance, notifications of an impending system shutdown).
According to the manual for this Linux command, "wall is utilized to display a message, file contents, or data from its standard input across the terminals of all users currently logged in. Only root users have the ability to post messages on the terminals of users who have opted out of receiving messages or are in applications that block messages by default."
CVE-2024-28085 manipulates escape sequences inputted through the command line to deceive users into seeing a fraudulent superuser command prompt on their terminals, prompting them to input their passwords.
For the exploit to succeed, two conditions must be met: the mesg utility, which manages the display of messages from other users, must be active ('y'), and the wall command must have setgid permissions set.
Ubuntu 22.04 and Debian Bookworm are vulnerable to CVE-2024-28085 as they fulfill these requirements, whereas CentOS is not, due to the wall command lacking setgid permissions.
"In Ubuntu 22.04, it is possible to expose a user's password by default," Ferrante explained. "The only hint of the attack to the victim might be an erroneous password prompt upon correct entry of their password, with their password then appearing in their command history."
In addition, on systems that permit the sending of wall messages, an attacker could potentially modify the clipboard of a user through escape sequences in certain terminals like Windows Terminal, but not in GNOME Terminal.
To address this vulnerability, users should upgrade to util-linux version 2.40.
Cybersecurity "[CVE-2024-28085] enables users without privileges to display any text on others' terminals, provided mesg is enabled ('y') and wall is setgid," the release notes state. "Not every distribution is affected (e.g., CentOS, RHEL, Fedora are not; Ubuntu and Debian's wall command is setgid with mesg enabled by default)."
This announcement follows another disclosure by security researcher notselwyn about a use-after-free vulnerability within the netfilter subsystem of the Linux kernel that could be leveraged for local privilege escalation.
Tagged as CVE-2024-1086 (with a CVSS score of 7.8), this flaw arises from a failure to properly sanitize netfilter verdicts, which could allow a local assailant to induce a denial-of-service (DoS) state or potentially execute arbitrary code. This issue was rectified in a code update made on January 24, 2024.
Comments