In the Linux operating system, a serious vulnerability has been discovered that allows attackers to manipulate password authentication or tamper with the victim’s exchange buffer. The issue involves the Wall command in the Util-Linux package, which has been present in all Linux distributions for the past 11 years, up until the recent release of version 2.40.
The vulnerability has been assigned the identifier CVE-2024-28085 and is named Wallescape. It allows attackers to deceive users by coercing them to provide their administrative password.
However, the exploitability of the vulnerability is limited to specific conditions. The attacker must have access to a Linux server where multiple users operate through the terminal, such as in an educational institution setting.
The discovery of the vulnerability was made by security researcher Skayler Ferrante, who has detailed Wallescape as “improper neutralization of control sequences in the Wall command.”
From a technical perspective, the vulnerability enables attackers to utilize control characters to simulate a fake SUDO password entry in other users’ terminals. This is achievable due to the improper filtering of these symbols during command line argument processing.
For Wallescape to function, specific conditions must be met, including the operation of the Mesg utility and the WALL command’s Setgid. These conditions are present in Ubuntu 22.04 LTS (Jammy Jellyfish) and Debian 12.5 (BookWorm), but are absent in CentOS.
Ferrante has also released proof-of-concept (POC) code to demonstrate its functionality, illustrating scenarios that can lead to various outcomes, such as creating a fake SUDO in the Gnome terminal and manipulating the victim’s exchange buffer through control sequences. Notably, not all terminal emulators support the manipulation of the exchange buffer.
While Wallescape requires local access (physical or via SSH), lowering its criticality, it still poses a risk