Recently, a vulnerability was discovered in the WALL utility, found in the packet supplied in util-linux, which is designed to send messages to terminals. The vulnerability, identified as CVE-2024-28085, allows attackers to launch attacks on the terminals of other users by manipulating ESCAPE sequences. The issue arises because the WALL utility blocks the use of Escape sequences in the input stream, but fails to do so for command line arguments, enabling attackers to perform ESCAPE-sequence manipulation on the terminals of other users.
For instance, by executing ‘Wall $(Printf “�33[33mHi”)’, an attacker can display the message “Hi” in yellow. By utilizing Escape sequences that can move the cursor, clear the screen, and replace content, attackers can mimic a prompt for entering a password from the SUDO utility in another user’s terminal. If the user falls for the trick and enters their password, it will appear in the input history as a non-existent command, revealing the password to the attacker.
During the process of displaying a warning about the non-existent command, in various distributions, the /usr/lib/command-not-found processor is executed. This processor attempts to determine the package containing the missing command and suggests its possible installation. However, a flaw exists when launching the Command-Not-Found processor, as the non-existent command is passed to it as a command line parameter, which can be viewed in the system’s processes. This allows an attacker to monitor running processes, such as by analyzing the appearance of “/proc/$pid/cmdline” for the expected PID number, and discern the password entered by the victim on the command line.