If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
Recently the discovery of a vulnerability (already cataloged under CVE-2024-28085) quite particular, and the bug that was founda in the wall utility of the util-linux package, allows an attacker to manipulate escape sequences to affect other users' terminals.
This vulnerability draws the attention of many, since it basically allows phishing, since the utility is designed to send messages to terminals, this vulnerability is used to deceive and obtain information from other terminals.
The problem is that the utility wall blocks escape sequences in the input stream, but not in command line arguments, which makes it possible for an attacker to use escape sequences on other users' terminals.
For instance, when running wall using escape sequences that allow you to move the cursor, delete and replace content on the screen, An attacker can simulate a sudo password request on another user's terminal. If the user does not detect this manipulation and provides their password, the password will appear in the command history as a non-existent command (because the password was entered directly on the command line instead of a valid command).
When a warning is issued that the entered command was not found, many distributions run the /usr/lib/command-not-found driver. This driver attempts to identify the package that contains the missing command and provides a clue as to whether it can be installed. However, There is a problem: when starting the command-not-found handler, a non-existent command is passed to it as a command line parameter. This is visible when viewing processes on the system, which could be exploited by an attacker to monitor running processes and determine the password entered by the victim on the command line.
To induce a user to enter a password In response to a fake sudo message, a hack has been proposed. This trick involves tracking the actual start of the sudo utility in the list of processes, wait for it to complete and perform a wall attack immediately afterwards. By manipulating escape sequences, an attacker can replace the message after the actual sudo execution with a fake password re-enter message. The victim might think that he made a mistake when entering the password and re-enter it, thus revealing the password in the "command-not-found" handler arguments.
Some people have misunderstood in which scenarios this could be used to attack another user. We don't need to attack sudo, we can attack anywhere the user enters their password, a basic example is after a user logs in using OpenSSH.
PTo carry out a successful attack, it is necessary to set the "mesg" mode to "y", which is configured by default on systems such as Ubuntu, Debian and CentOS/RHEL. The attack has been successfully demonstrated on Ubuntu 22.04 using gnome-terminal en your default settings. However, on Debian, the attack is more difficult because the "command-not-found" driver is not enabled by default. As for CentOS/RHEL, the attack does not work, since the wall utility is installed without the setgid flag and does not have access to other users' terminals. If Windows-Terminal is used, the attack can be modified to change the contents of the clipboard.
This vulnerability has been present in the util-linux package since 2013, after version 2.24 introduced the ability to specify a message on the wall command line, but forgot to clean up the escape sequences. A fix for this vulnerability has been included in the most recent release of util-linux 2.40, which was released yesterday. It is important to mention that when trying to fix the vulnerability in the util-linux 2.39 version, another similar vulnerability was identified that allows the substitution of control characters by manipulating regional settings.
If you are interested in knowing more about it, you can consult the details in the following link.