A new Vulnerability in the Linux "wall" Command Could Lead to Password Leaks and Clipboard Manipulation
A recently discovered vulnerability affecting the "wall" command within the util-Linux package has raised concerns about potential password leaks and clipboard manipulation on certain Linux distributions.
Security researcher Skyler Ferrante, who has codenamed the vulnerability CVE-2024-28085 as WallEscape, has identified an issue of improper neutralization of escape sequences within the util-Linux wall command. This vulnerability allows unprivileged users to insert arbitrary text onto other users' terminals, provided that the "mesg" utility is enabled and the wall command has setgid permissions.
The vulnerability, introduced in a commit made in August 2013, affects systems where the mesg utility is set to "y" and the wall command has setgid permissions. This scenario enables attackers to exploit improperly filtered escape sequences passed through command line arguments to create fake sudo prompts on other users' terminals, potentially tricking them into disclosing their passwords.
The impact of CVE-2024-28085 is observed on Ubuntu 22.04 and Debian Bookworm, as these distributions meet the specified criteria. However, CentOS remains unaffected as the wall command does not have setgid permissions.
On affected systems like Ubuntu 22.04, attackers can gain enough control to leak a user's password, with users only noticing an incorrect password prompt along with their password appearing in their command history.
Moreover, attackers could potentially manipulate users' clipboards through escape sequences on select terminals like Windows Terminal, although this does not work on GNOME Terminal.
To mitigate this flaw, users are advised to update to util-linux version 2.40.
The disclosure of this vulnerability coincides with another security issue detailed by researcher Notselwyn, involving a use-after-free vulnerability in the netfilter subsystem of the Linux kernel (between versions 5.14 and 6.6.14). Assigned CVE-2024-1086, this vulnerability could lead to local privilege escalation and has been addressed in a commit pushed on January 24, 2024.
