A vulnerability CVE-2024-28085) has been identified in the wall utility, which is supplied in the util-linux package and is intended for sending messages to terminals, which allows an attack on other users terminals by manipulating escape sequences. The problem is caused by the fact that the wall utility blocks the use of escape sequences in the input stream, but does not perform this operation for arguments on the command line, which allows an attacker to execute escape sequences in the terminal of other users.
For example, by doing wall $(printf "\033[33mHI")'you can display "HI" in yellow. Using escape sequences that allow you to move the pointer, clear and replace content on the screen, you can simulate showing a password prompt from the sudo utility in another user's terminal. If the user does not notice the trick and enters their password, the password will appear in the input history as a non-existent command (in fact, the user will enter their password on the command line instead of the command).
When a warning message is displayed that the entered command was not found, many distributions run the /usr/lib/command-not-found handler, which tries to identify the package that contains the missing command and give a hint about whether it can be installed. The problem is that when you run the command-not-found handler, a nonexistent command is passed to it as a command-line parameter, which is visible when viewing processes in the system (for example, when you try to run the "xsnow" utility that is not installed, "/usr/lib/command-not-found -- xsnow "will be visible in the list of processes"). Accordingly, an attacker can monitor running processes (for example, by analyzing the occurrence of "/proc / $pid/cmdline " for the predicted PID number) and determine the password entered by the victim on the command line.
In order for the user to enter a password in response to a fictitious sudo prompt, a trick is proposed, the essence of which is to track in the list of processes the actual launch of the sudo utility, wait for its completion, and carry out an attack through the "wall" immediately after that. By manipulating escape sequences, the attacker can replace the message after the actual execution of sudo with a dummy prompt to re-enter the password. The victim may think that he made a mistake and enter the password a second time, highlighting the password in the arguments of the "command-not-found"handler.
A successful attack requires setting the "mesg" mode to the "y" value, which is set by default in Ubuntu, Debian, and CentOS/RHEL. The ability to perform an attack is demonstrated in Ubuntu 22.04 in the default configuration when using gnome-terminal. In Debian, the attack is difficult, since the "command-not-found" handler is not enabled by default in the distribution, and in CentOS/RHEL, the attack will not work, since the wall utility is installed without the setgid flag and does not have access to other people's terminals. When using windows-terminal, the attack can be modified to change the contents of the clipboard.
The vulnerability has been present in the util-linux package since 2013, after the 2.24 release added the ability to specify a message in the wall command line, but forgot to apply cleaning of escape sequences. The vulnerability fix is included in yesterday's util-linux 2.40 release. It is noteworthy that when trying to fix the vulnerability in the util-linux 2.39 release, another similar vulnerability was identified, which allows substitution of control characters through locale manipulation.
For example, by doing wall $(printf "\033[33mHI")'you can display "HI" in yellow. Using escape sequences that allow you to move the pointer, clear and replace content on the screen, you can simulate showing a password prompt from the sudo utility in another user's terminal. If the user does not notice the trick and enters their password, the password will appear in the input history as a non-existent command (in fact, the user will enter their password on the command line instead of the command).
When a warning message is displayed that the entered command was not found, many distributions run the /usr/lib/command-not-found handler, which tries to identify the package that contains the missing command and give a hint about whether it can be installed. The problem is that when you run the command-not-found handler, a nonexistent command is passed to it as a command-line parameter, which is visible when viewing processes in the system (for example, when you try to run the "xsnow" utility that is not installed, "/usr/lib/command-not-found -- xsnow "will be visible in the list of processes"). Accordingly, an attacker can monitor running processes (for example, by analyzing the occurrence of "/proc / $pid/cmdline " for the predicted PID number) and determine the password entered by the victim on the command line.
In order for the user to enter a password in response to a fictitious sudo prompt, a trick is proposed, the essence of which is to track in the list of processes the actual launch of the sudo utility, wait for its completion, and carry out an attack through the "wall" immediately after that. By manipulating escape sequences, the attacker can replace the message after the actual execution of sudo with a dummy prompt to re-enter the password. The victim may think that he made a mistake and enter the password a second time, highlighting the password in the arguments of the "command-not-found"handler.
A successful attack requires setting the "mesg" mode to the "y" value, which is set by default in Ubuntu, Debian, and CentOS/RHEL. The ability to perform an attack is demonstrated in Ubuntu 22.04 in the default configuration when using gnome-terminal. In Debian, the attack is difficult, since the "command-not-found" handler is not enabled by default in the distribution, and in CentOS/RHEL, the attack will not work, since the wall utility is installed without the setgid flag and does not have access to other people's terminals. When using windows-terminal, the attack can be modified to change the contents of the clipboard.
The vulnerability has been present in the util-linux package since 2013, after the 2.24 release added the ability to specify a message in the wall command line, but forgot to apply cleaning of escape sequences. The vulnerability fix is included in yesterday's util-linux 2.40 release. It is noteworthy that when trying to fix the vulnerability in the util-linux 2.39 release, another similar vulnerability was identified, which allows substitution of control characters through locale manipulation.
