Linux Vulnerability “WallEscape” Leaves Users Exposed to Password Theft

by | Mar 29, 2024 | News

Post Views: 566

Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Reading Time: 3 Minutes

A critical vulnerability in the ‘wall’ command of the util-linux package, dubbed WallEscape and tracked as CVE-2024-28085, has been discovered, posing a significant security risk to Linux users. This flaw, present in every version of the package for the past 11 years up to version 2.40, could potentially enable an unprivileged attacker to steal passwords or manipulate the victim’s clipboard.

The discovery of WallEscape by security researcher Skyler Ferrante sheds light on a critical issue. Exploiting this vulnerability could enable an unprivileged attacker to pilfer passwords or manipulate a victim’s clipboard. Although the potential for exploitation exists, it is notably constrained to specific scenarios.

To successfully exploit WallEscape, an attacker must first gain access to a Linux server with multiple users concurrently connected through the terminal. This setting is commonly found in institutions like universities, where numerous students might be logged in simultaneously for various academic tasks.

At the core of WallEscape lies an “improper neutralization of escape sequences in wall” command, as described by Ferrante. The vulnerability impacts the ‘wall’ command, typically utilized in Linux systems to broadcast messages to all users’ terminals on the same server.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

WallEscape Exploit

The exploit leverages the improper filtering of escape sequences within command-line arguments. By injecting escape control characters, an attacker could fabricate a fake SUDO prompt on other users’ terminals, coercing them into divulging their administrator passwords.

Ferrante outlines specific conditions necessary for successful exploitation. Notably, the ‘mesg’ utility must be active, and the wall command must possess setgid permissions. While these conditions are met in certain distributions like Ubuntu 22.04 LTS and Debian 12.5, they are absent in others like CentOS.

Proof-of-concept exploit code has been made available, illustrating how attackers could capitalize on WallEscape. Ferrante also provides detailed exploitation scenarios, including one that involves crafting a counterfeit sudo prompt within the Gnome terminal to deceive users into disclosing sensitive information.

Additionally, the vulnerability report outlines a method to manipulate a target user’s clipboard through escape sequences. Although this tactic is not universally effective across all terminal emulators, it poses a significant risk to those employing susceptible environments.

Trending: Digital Forensics Tool: mailMeta

Mitigation

Mitigating WallEscape’s threat requires immediate action. Users are urged to upgrade to linux-utils v2.40 to patch the vulnerability. Administrators can further mitigate risk by removing setgid permissions from the ‘wall’ command or by disabling message broadcast functionality using the ‘mesg’ command.

While WallEscape underscores the importance of vigilance in system security, its exploitation is contingent upon local access, limiting its severity to multi-user environments. Nonetheless, proactive measures are essential to safeguard against potential breaches and protect sensitive information from exploitation.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link