WallEscape Vulnerability Leaks User Passwords in Linux
A vulnerability has been identified in the wall command-line utility in Linux, which could allow an attacker to steal user passwords or modify the clipboard on the victim’s system. Dubbed “WallEscape” and officially tracked as CVE-2024-28085, the vulnerability resides in the wall
command within the util-linux package, present in Linux distributions for over a decade, up until the recent release of version 2.40. Skyler Ferrante, who discovered this flaw, describes it as an “improper neutralization of escape sequences in wall command”.
WallEscape Vulnerability Details
Ferrante mentioned that the util-linux ‘wall’ command lacks escape sequence filtering from command line arguments. If mesg is set to ‘y’ and wall is setgid
, unprivileged users could inject arbitrary text onto other users’ terminals. Linux distributions, such as CentOS, RHEL, and Fedora remain unaffected since wall isn’t setgid
. However, Ubuntu 22.04 and Debian 12 “Bookworm” are vulnerable as wall is both setgid
and mesg
defaults to ‘y’.
The WallEscape vulnerability poses a significant risk on Ubuntu 22.04 as a user’s password can be leaked by default. The sole indication of an attack for the user would be an incorrect password prompt upon entering their correct password, alongside the password appearing in their command history.
Ferrante also outlined potential attack scenarios, including the creation of counterfeit SUDO prompts within the Gnome terminal to trick users into entering sensitive information. This involves manipulating terminal settings via the ‘wall’ command to simulate authentic prompts, with subsequent password retrieval from command arguments.
Additionally, on systems permitting wall messages, attackers might modify a victim’s clipboard. This tactic proves effective on windows-terminal but not on gnome-terminal.
Mitigation Measures
Mitigation strategies involve updating to util-linux v2.40 or promptly removing setgid permissions from the ‘wall’ command. Alternatively, administrators can disable message broadcasting by running the mesg n
command in the terminal. While the severity of WallEscape is limited by its dependency on local access and specific system configurations, users are urged to remain vigilant and apply necessary patches or mitigations as advised.
The sources for this article include a story from BleepingComputer.