In the wall utility supplied in the package util-linux and intended for sending messages to terminals, identified vulnerability (CVE-2024-28085), allowing an attack on the terminals of other users through manipulation of escape sequences. The problem is caused by the wall utility blocking escape sequences on the input stream but not doing so on command line arguments, allowing an attacker to escape escape sequences on other users' terminals.
For example, by executing 'wall $(printf “033(33mHI”)' you can display “HI” in yellow. Using escape sequences that allow you to move the pointer, clear and replace content on the screen, you can simulate a password prompt from the sudo utility in another user's terminal. If the user does not notice the trick and enters his password, the password will appear in the input history as a non-existent command (in fact, the user will enter his password on the command line instead of a command).
Advertisement
"\033(3A" // перемещаем курсор вверх на 3 строк "\033(K" // удаляем предыдущий вывод "(sudo) password for a_user:" // выводим фиктивный запрос sudo "\033(?25l" // выставляем фоновый цвет для скрытия ввода "\033(38;2;48;10;36m"
When a warning is issued that the entered command was not found, many distributions run the /usr/lib/command-not-found handler, which attempts to identify the package that contains the missing command and provide a hint about whether it can be installed. The problem is that when the command-not-found handler is launched, a non-existent command is passed to it as a command line parameter, which is visible when viewing processes on the system (for example, when you try to run the uninstalled utility “xsnow”, “/usr” will be visible in the list of processes /lib/command-not-found — xsnow”). Accordingly, the attacker can monitor running processes (for example, by analyzing the appearance of “/proc/$pid/cmdline” for the predicted PID number) and determine the password entered by the victim on the command line.
In order for the user to enter a password in response to a fictitious sudo prompt, a trick has been proposed, the essence of which is to track the actual launch of the sudo utility in the list of processes, wait for it to complete, and carry out an attack through the “wall” immediately after that. By manipulating escape sequences, an attacker can replace the message after the actual execution of sudo with a bogus password re-entry prompt. The victim may think that he made a mistake when entering the password and enter the password a second time, revealing the password in the arguments of the “command-not-found” handler.
A successful attack requires setting the “mesg” mode to “y”, which is set by default in Ubuntu, Debian and CentOS/RHEL. The attack has been demonstrated in Ubuntu 22.04 in its default configuration using gnome-terminal. On Debian, the attack is difficult, since the distribution does not have the “command-not-found” handler enabled by default, and on CentOS/RHEL, the attack will not work, since the wall utility is installed without the setgid flag and does not have access to other people's terminals. When using windows-terminal, the attack can be modified to change the contents of the clipboard.
Vulnerability manifests itself in the util-linux package since 2013, after release 2.24 added the ability to specify a message on the wall command line, but forgot to clean up escape sequences. Correction vulnerabilities included in yesterday's release util-linux 2.40. It is noteworthy that when trying to fix the vulnerability in the util-linux 2.39 release, there was identified Another similar vulnerability that allows substitution of control characters through manipulation of locales.
Advertisement
Thanks for reading: