New details have surfaced regarding a flaw affecting the 'wall' command within the util-linux package, potentially exploitable by malicious actors to expose user passwords or manipulate the clipboard on select Linux distributions.

Identified as CVE-2024-28085, this vulnerability has been dubbed WallEscape by security analyst Skyler Ferrante. It stems from inadequate filtering of escape sequences.

According to Ferrante, 'The util-linux wall command fails to properly screen escape sequences from command line inputs, enabling unauthorized users to inject arbitrary text into other users' terminals when mesg is set to "y" and wall is setgid.'

This vulnerability was introduced through a commit in August

The 'wall' command serves the purpose of disseminating messages to all actively logged-in users on a server, typically utilized by administrators to convey critical information such as impending system shutdowns.

According to the Linux command's manual page, 'wall displays a message, or the contents of a file, or otherwise its standard input, on the terminals of all currently logged in users.' It further specifies that only the superuser possesses the authority to transmit messages to users who have opted to refuse messages or are engaged in applications that automatically refuse them.

CVE-2024-28085 capitalizes on inadequately screened escape sequences passed through command line arguments to deceive users into generating a counterfeit sudo (superuser do) prompt on other users' terminals, thereby coaxing them into divulging their passwords.

However, successful exploitation mandates the mesg utility—responsible for regulating the display of messages from other users—to be set to 'y' (enabled), and the 'wall' command must possess setgid permissions.

CVE-2024-28085 affects Ubuntu 22.04 and Debian Bookworm, meeting the aforementioned conditions. Conversely, CentOS remains unaffected since the 'wall' command lacks setgid permissions.

Ferrante remarked, 'On Ubuntu 22.04, we possess sufficient control to extract a user's password by default. The sole indication of an attack for the user would be an erroneous password prompt upon correctly inputting their password, alongside the recording of their password in their command history.'

Likewise, on systems permitting the transmission of wall messages, an assailant could potentially manipulate a user's clipboard through escape sequences on specific terminals like Windows Terminal, although this tactic fails on GNOME Terminal.

Users are strongly advised to update to util-linux version 2.40 to mitigate this vulnerability