“WallEscape” Flaw Targets Linux: Update Immediately
A significant vulnerability has been discovered in the Linux operating system, allowing unprivileged attackers the potential to purloin passwords or alter the clipboard contents of their victims. This issue pertains to the wall command within the util-linux package, integral to all Linux distributions for the past eleven years. The flaw has been rectified recently with the release of util-linux version 2.40.
The vulnerability, designated as CVE-2024-28085 and named WallEscape, is particularly intriguing as it enables a malefactor to deceive a user into surrendering their administrative password.
However, the exploitation of this vulnerability is confined to specific conditions. For instance, the attacker requires access to a Linux server where multiple users are concurrently active in a terminal, a scenario commonly found in academic settings.
The identification of this issue is credited to security researcher Skyler Ferrante, who characterized WallEscape as the “improper neutralization of control sequences in the wall command.”
Delving into the technicalities, the vulnerability allows malefactors to employ control characters to craft a spurious request for sudo password entry on other users’ terminals. This exploitability stems from the inadequate filtration of these characters when processed through command-line arguments.
For WallEscape to be utilized, certain prerequisites must be met, including the active use of the mesg utility and the wall command being endowed with setgid permissions. These conditions are present in distributions like Ubuntu 22.04 LTS (Jammy Jellyfish) and Debian 12.5 (Bookworm), but are absent in CentOS, for example.
Ferrante provided proof-of-concept code to demonstrate exploitation, outlining scenarios that could lead to various outcomes, including the generation of a fake sudo request in a Gnome terminal and the alteration of the victim’s clipboard through control sequences. However, the clipboard modification technique does not work with all terminal emulators.
The exploitation of WallEscape necessitates local access (either physical or remote via SSH), thereby reducing its severity but maintaining a risk for multi-user systems such as organizational servers.
Users are urged to promptly upgrade to linux-utils version 2.40 to mitigate the vulnerability. As an interim precaution, administrators may remove the setgid permissions from the wall command or disable the message broadcasting function using the mesg command, setting its flag to “n.”
