The WallEscape vulnerability went unnoticed for 11 years. Did hackers manage to use it?
A serious vulnerability has been discovered in the Linux operating system that allows unprivileged attackers to steal passwords or change the victims clipboard. The problem concerns the wall command in the util-linux package, which has been part of all Linux distributions for the past 11 years. The bug was fixed quite recently, with the release of util-linux 2.40.
The vulnerability was identified as CVE-2024-28085 and named WallEscape. It is interesting because it allows an attacker to deceive the user by forcing them to provide their administrative password.
However, the vulnerability is limited to implementation-specific conditions. For example, an attacker needs access to a Linux server where several users work simultaneously via a terminal, for example, in a university environment.
The discovery of the problem belongs to security researcher Skyler Ferrante, who described WallEscape as "incorrectly neutralizing control sequences in the wall team."
If we take a closer look at the vulnerability from the technical side, it should be noted that it allows attackers to use control characters to create a fake request for entering the sudo password in other users terminals. This is possible due to incorrect filtering of these characters when processing input via command-line arguments.
To use WallEscape, certain conditions must be met, including that the mesg utility is active and that the wall command has setgid permissions. These conditions exist, for example, in Ubuntu 22.04 LTS (Jammy Jellyfish) and Debian 12.5 (Bookworm), but are absent in the same CentOS.
Ferrante provided a PoC code to demonstrate the exploitation, describing scenarios that can lead to various results, including creating a fake sudo request in the Gnome terminal and modifying the victim's clipboard via escape sequences. However, the clipboard modification method does not work with all terminal emulators.
Using WallEscape requires local access (physical or remote via SSH), which reduces its criticality, but leaves a risk for multi-user systems, such as corporate servers.
Users are advised to immediately upgrade to linux-utils v2. 40 to fix the vulnerability. As a temporary precaution, administrators can remove the setgid permissions of the wall command, or disable the message distribution function using the mesg command by setting its flag to "n".
A serious vulnerability has been discovered in the Linux operating system that allows unprivileged attackers to steal passwords or change the victims clipboard. The problem concerns the wall command in the util-linux package, which has been part of all Linux distributions for the past 11 years. The bug was fixed quite recently, with the release of util-linux 2.40.
The vulnerability was identified as CVE-2024-28085 and named WallEscape. It is interesting because it allows an attacker to deceive the user by forcing them to provide their administrative password.
However, the vulnerability is limited to implementation-specific conditions. For example, an attacker needs access to a Linux server where several users work simultaneously via a terminal, for example, in a university environment.
The discovery of the problem belongs to security researcher Skyler Ferrante, who described WallEscape as "incorrectly neutralizing control sequences in the wall team."
If we take a closer look at the vulnerability from the technical side, it should be noted that it allows attackers to use control characters to create a fake request for entering the sudo password in other users terminals. This is possible due to incorrect filtering of these characters when processing input via command-line arguments.
To use WallEscape, certain conditions must be met, including that the mesg utility is active and that the wall command has setgid permissions. These conditions exist, for example, in Ubuntu 22.04 LTS (Jammy Jellyfish) and Debian 12.5 (Bookworm), but are absent in the same CentOS.
Ferrante provided a PoC code to demonstrate the exploitation, describing scenarios that can lead to various results, including creating a fake sudo request in the Gnome terminal and modifying the victim's clipboard via escape sequences. However, the clipboard modification method does not work with all terminal emulators.
Using WallEscape requires local access (physical or remote via SSH), which reduces its criticality, but leaves a risk for multi-user systems, such as corporate servers.
Users are advised to immediately upgrade to linux-utils v2. 40 to fix the vulnerability. As a temporary precaution, administrators can remove the setgid permissions of the wall command, or disable the message distribution function using the mesg command by setting its flag to "n".
