A vulnerability in the wall command of the util-linux package that is part of the Linux operating system could allow an unprivileged attacker to steal passwords or change the victim's clipboard.
Tracked as CVE-2024-28085, the security issue has been dubbed WallEscape and has been present in every version of the package for the past 11 years up to 2.40 released yesterday.
Although the vulnerability is an interesting example of how an attacker can deceive a user into giving their administrator password, exploiting is likely limited to certain scenarios.
An attacker needs to have access to a Linux server that already has multiple users connected at the same time through the terminal, such as a college where students may connect for an assignment.
Security researcher Skyler Ferrante discovered WallEscape, which is described as an "improper neutralization of escape sequences in wall" command.
Exploiting WallEscape
WallEscape impacts the ‘wall’ command, which is typically used in Linux systems to broadcast messages to the terminals of all users logged to the same system, such as a server.
Because escape sequences are improperly filtered when processing input through command line arguments, an unprivileged user could exploit the vulnerability using escape control characters to create a fake SUDO prompt on other users' terminals and trick them into typing their administrator password.
The security issue can be exploited under certain conditions. Ferrante explains that exploitation is possible if the "mesg" utility is active and the wall command has setgid permissions.
The researcher notes that both conditions are present on Ubuntu 22.04 LTS (Jammy Jellyfish) and Debian 12.5 (Bookworm) but not on CentOS.
Proof-of-concept exploit code for WallEscape has been published to demonstrate how an attacker could leverage the issue.
Along with the technical details, Ferrante also includes exploitation scenarios that could lead to separate outcomes.
One example describes the steps to create a fake sudo prompt for Gnome terminal to trick the user into typing in their password.
Ferrante details that this is possible by creating a fake SUDO prompt for Gnome terminal to trick the user into typing in the sensitive info as a command line argument.
This requires some precautions that are possible by using the wall command to pass to the target a script that changes their input in the terminal (foreground color, hides typing, sleep time) so that the fake password prompt passes as a legitimate request.
To find the password, an attacker would then have to check the /proc/$pid/cmdline file for the command arguments, which are visible for unprivileged users on multiple Linux distributions.
Another attack would be to change the clipboard of a target user through escape sequences. The researcher highlights that this method does not work with all terminal emulators, Gnome being among them.
"Since we can send escape sequences through wall, if a user is using a terminal that supports this escape sequence, an attacker can change the victims clipboard to arbitrary text," Ferrante details.
The researcher provides in the vulnerability report the demo code to set the trap and run the attack and also explains how it works for both exploitation scenarios.
It is worth noting that exploiting WallEscape depends on local access (physical or remote via SSH), which limits its severity.
The risk comes from unprivileged users with access to the same system as the victim in multi-user settings like an organization's server.
Users are advised to upgrade to linux-utils v2.40 to patch the vulnerability. Typically, the update is made available through the Linux distribution’s standard update channel on the package manager, but there could be some delay.
System administrators can mitigate CVE-2024-28085 immediately by removing the setgid permissions from the ‘wall’ command or by disabling the message broadcast functionality using the ‘mesg’ command to set its flag to ‘n’.
