Reading Time: 3 Minutes

Linux Vulnerability Exposed: WallEscape Threatens Password Theft

A critical vulnerability in the ‘wall’ command of the util-linux package, dubbed WallEscape and tracked as CVE-2024-28085, has been discovered, posing a significant security risk to Linux users. This flaw, present in every version of the package for the past 11 years up to version 2.40, could potentially enable an unprivileged attacker to steal passwords or manipulate the victim’s clipboard.

The discovery of WallEscape by security researcher Skyler Ferrante sheds light on a critical issue. Exploiting this vulnerability could enable an unprivileged attacker to pilfer passwords or manipulate a victim’s clipboard. Although the potential for exploitation exists, it is notably constrained to specific scenarios.

To successfully exploit WallEscape, an attacker must first gain access to a Linux server with multiple users concurrently connected through the terminal. This setting is commonly found in institutions like universities, where numerous students might be logged in simultaneously for various academic tasks.

At the core of WallEscape lies an “improper neutralization of escape sequences in wall” command, as described by Ferrante. The vulnerability impacts the ‘wall’ command, typically utilized in Linux systems to broadcast messages to all users’ terminals on the same server.

 

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

WallEscape Exploit

The exploit leverages the improper filtering of escape sequences within command-line arguments. By injecting escape control characters, an attacker could fabricate a fake SUDO prompt on other users’ terminals, coercing them into divulging their administrator passwords.

Ferrante outlines specific conditions necessary for successful exploitation. Notably, the ‘mesg’ utility must be active, and the wall command must possess setgid permissions. While these conditions are met in certain distributions like Ubuntu 22.04 LTS and Debian 12.5, they are absent in others like CentOS.

Proof-of-concept exploit code has been made available, illustrating how attackers could capitalize on WallEscape. Ferrante also provides detailed exploitation scenarios, including one that involves crafting a counterfeit sudo prompt within the Gnome terminal to deceive users into disclosing sensitive information.

Additionally, the vulnerability report outlines a method to manipulate a target user’s clipboard through escape sequences. Although this tactic is not universally effective across all terminal emulators, it poses a significant risk to those employing susceptible environments.