A vulnerability (CVE-2024-28085) has been identified in the wall utility, supplied in the util-linux package and intended for sending messages to terminals, which allows an attack on the terminals of other users through manipulation of escape sequences. The problem is caused by the wall utility blocking escape sequences on the input stream but not doing so on command line arguments, allowing an attacker to escape escape sequences on other users' terminals.
For example, by executing 'wall $(printf "\033[33mHI")' you can print "HI" in yellow. By using escape sequences that allow you to move the pointer, clear, and replace content on the screen, you can simulate showing the sudo password prompt in another user's terminal. If the user does not notice the trick and enters his password, the password will appear in the input history as a non-existent command (in fact, the user will enter his password on the command line instead of a command). “\033[3A” // move the cursor up 3 lines “\033[K” // delete the previous output “[sudo] password for a_user:” // display a dummy sudo request “\033[?25l” // set background color to hide input "\033[38;2;48;10;36m"
When a warning is issued that the entered command was not found, many distributions run the /usr/lib/command-not-found handler, which attempts to identify the package that contains the missing command and provide a hint about whether it can be installed. The problem is that when the command-not-found handler is launched, a non-existent command is passed to it as a command line parameter, which is visible when viewing processes on the system (for example, when trying to run the uninstalled utility “xsnow”, “/usr” will be visible in the list of processes /lib/command-not-found - xsnow"). Accordingly, the attacker can monitor running processes (for example, by analyzing the occurrence of “/proc/$pid/cmdline” for the predicted PID number) and determine the password entered by the victim on the command line.
In order for the user to enter a password in response to a fictitious sudo prompt, a trick has been proposed, the essence of which is to track the actual launch of the sudo utility in the list of processes, wait for it to complete, and carry out an attack through the “wall” immediately after that. By manipulating escape sequences, an attacker can replace the message after the actual execution of sudo with a bogus password re-entry prompt. The victim may think that he made a mistake when entering the password and enter the password a second time, revealing the password in the arguments of the “command-not-found” handler.
A successful attack requires setting the "mesg" mode to "y", which is set by default in Ubuntu, Debian and CentOS/RHEL. The attack has been demonstrated in Ubuntu 22.04 in its default configuration using gnome-terminal. In Debian, the attack is difficult, since the “command-not-found” handler is not enabled by default in the distribution, and in CentOS/RHEL the attack will not work, since the wall utility is installed without the setgid flag and does not have access to other people’s terminals. When using windows-terminal, the attack can be modified to change the contents of the clipboard.
The vulnerability has been present in the util-linux package since 2013, after the 2.24 release added the ability to specify a wall message on the command line, but forgot to clean up the escape sequences. A fix for the vulnerability is included in yesterday's release of util-linux 2.40. It is noteworthy that when trying to fix the vulnerability in the release of util-linux 2.39, another similar vulnerability was identified, which allows substitution of control characters through manipulation of locales.
Source: opennet.ru