Wall-Escape (CVE-2024-28085)
Skyler Ferrante: Escape sequence injection in util-linux wall
================= Wall-Escape (CVE-2024-28085)
Skyler Ferrante: Escape sequence injection in util-linux wall
=================================================================
Summary
=================================================================
The util-linux wall command does not filter escape sequences from
command line arguments. The vulnerable code was introduced in
commit cdd3cc7fa4 (2013). Every version since has been
vulnerable.
This allows unprivileged users to put arbitrary text on other
users terminals, if mesg is set to y and wall is setgid. CentOS
is not vulnerable since wall is not setgid. On Ubuntu 22.04 and
Debian Bookworm, wall is both setgid and mesg is set to y by
default.
If a system runs a command when commands are not found, with the
unknown command as an argument, the unknown command will be
leaked. This is true of Ubuntu 22.04. Debian Bookworm does not
leak unknown commands in its starting configuration.
On Ubuntu 22.04, we have enough control to leak a users password
by default. The only indication of attack to the user will be an
incorrect password prompt when they correctly type their
password, along with their password being in their command
history.
On other systems that allow wall messages to be sent, an attacker
may be able to alter the clipboard of a victim. This works on
windows-terminal, but not on gnome-terminal.
=================================================================
Analysis
=================================================================
When displaying inputs from stdin, wall uses the function
fputs_careful in order to neutralize escape characters.
Unfortunately, wall does not do the same for input coming from
argv.
term-utils/wall.c (note that mvec is argv)
```
/*
* Read message from argv[]
*/
int i;
for (i = 0; i < mvecsz; i++) {
fputs(mvec[i], fs);
if (i < mvecsz - 1)
fputc(' ', fs);
}
fputs("
", fs);
...
/*
* Read message from stdin.
*/
while (getline(&lbuf, &lbuflen, stdin) >= 0)
fputs_careful(lbuf, fs, '^', true, TERM_WIDTH);
```
Since argv is attacker controlled, and can contain binary data,
this is exploitable. A simple PoC command:
wall $(printf "
util-linux wall Escape Sequence Injection
- Details
- Written by: Khalil Shreateh
- Category: Vulnerabilities
- Hits: 42