CVE-2024-28085: Wall in Util-Linux 2.40: Account Takeover Through Unsecure Escape Sequences In Setgid TTY Permissions

A recent vulnerability dubbed CVE-2024-28085 has been discovered in the 'wall' utility of Util-Linux. Versions through 2.40 are affected by this issue. The vulnerability permits escape sequences to be sent to other users' terminals via 'argv' due to insecure setgid TTY permissions. While escape sequences sent via 'stdin' are blocked, those received from 'argv' are not. In certain circumstances, this may lead to account takeover.

Exploit Details

The 'wall' utility in Util-Linux through 2.40, often installed with setgid TTY permissions, opens the door to an escalatory escape sequence vulnerability. While escape sequences received through 'stdin' are blocked, those received through 'argv' are left unchecked. It creates plausible scenarios in which unwarranted account takeover might occur.

Here's an example of a simple code snippet that will illustrate sending the escape sequence "\03331m" to users' terminals via 'argv':

#!/bin/sh
echo 'ESC[31m' > /tmp/evil.txt
wall /tmp/evil.txt
This will store the escape sequence in a temporary file 'evil.txt' and then broadcast it using the 'wall' command. Users connected to the terminal will see the text in red.Original References

- Util-Linux: The original reference to the source code can be found at [https://github.com/karelzak/util-linux. The specific commit which addresses this issue hasn't been made available at the time of writing. However, users are encouraged to keep an eye on the repository for updates and patches.

- CVE Details: For more information on this specific CVE, please visit https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28085. The website contains additional details on the vulnerability along with other relevant CVEs.

Mitigation

Until an official fix is released, users can employ the following workaround to mitigate the identified vulnerability:

1. Remove 'setgid' permissions from the 'wall' binary, thus preventing unprivileged users from broadcasting escape sequences to other user's terminals:

`bash

sudo chmod g-s /usr/bin/wall

`

2. Encourage users to exercise caution while accessing terminal sessions, especially from untrusted sources.

Conclusion

CVE-2024-28085 alerts us to the vulnerability present in Util-Linux versions through 2.40, specifically the 'wall' utility. The capability for escape sequences to get sent to other users' terminals through 'argv' can potentially pave the way for unauthorized account takeovers. Users should be aware of this issue, implement mitigation techniques where possible, and keep an eye on official repositories for updates and fixes.

Timeline

Published on: 03/27/2024 19:15:48 UTC
Last modified on: 05/01/2024 18:15:16 UTC