Unraveling WallEscape: A Linux Vulnerability Exposing User Passwords and Hijacking Clipboards

By TFH,

Published on Mar 29, 2024   —   2 min read

Recently, a significant vulnerability in the Linux environment, termed WallEscape and identified as CVE-2024-28085, has come to light. This vulnerability poses a serious risk by potentially leaking user passwords and enabling clipboard hijacking. Let's dive deeper into the details and implications of this flaw, and understand the steps users can take to protect themselves.

The Heart of WallEscape

At the core of WallEscape is an issue with the "wall" command, a staple of the util-linux package in Linux systems. Security researcher Skyler Ferrante revealed that this command fails to properly sanitize escape sequences in inputs. This flaw can be exploited by unauthorized users to display arbitrary text on the terminals of other users, provided certain conditions are met: the message service (mesg) must be enabled, and the wall command must be operating with set group ID (setgid) permissions. The vulnerability traces back to a change made in August 2013, emphasizing the latent nature of some security risks.

Exploiting the Vulnerability

The exploit leverages the wall command's intended functionality—to broadcast messages across all logged-in user terminals—for malicious purposes. By injecting escape sequences through command-line arguments, attackers can create a bogus superuser (sudo) prompt on the terminals of unsuspecting users. This deceptive prompt can trick users into entering their passwords, which are then logged, potentially allowing attackers to gain unauthorized access. Additionally, on systems where the wall messages are enabled, attackers could manipulate the clipboard contents on vulnerable terminals, such as Windows Terminal, although not all terminals are susceptible to this form of attack.

Scope and Impact

CVE-2024-28085 is particularly concerning for users of Ubuntu 22.04 and Debian Bookworm, as these distributions meet the specific conditions that allow the vulnerability to be exploited. Conversely, distributions like CentOS are not affected due to the non-setgid nature of their wall command configuration. The exploitation scenarios highlight the importance of secure system configurations and the need for vigilant security practices.

Mitigation and Protection

In response to the discovery of WallEscape, users are advised to upgrade to util-linux version 2.40, which addresses this vulnerability. This action is a critical step in safeguarding against the potential misuse of the wall command. Moreover, system administrators and users should regularly review and update their software to protect against newly discovered vulnerabilities.

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.

Subscribe