Clipboard Hijacking and User Password Leaks May Result from a New Linux Bug

Clipboard Hijacking and User Password Leaks May Result from a New Linux Bug

Information has surfaced regarding a vulnerability that affects the “wall” command of the util-linux package. On specific Linux distributions, a malicious actor could exploit this weakness to modify the clipboard or steal a user’s password.

Security researcher Skyler Ferrante has assigned the pseudonym WallEscape to CVE-2024-28085. Security researchers have characterized an instance of improper neutralization of escape sequences.

The disclosure of Bitcoin wallet balances by Google ignites a privacy controversy.

“The util-linux wall command does not filter escape sequences from command line arguments,” Ferrante indicated. “This allows unprivileged users to put arbitrary text on other users’ terminals if mesg is set to “y” and wall is set.”

In August 2013, a commit introduced the vulnerability.

By means of the “wall” command, a notification is dispatched to the terminals of every user presently enrolled in a server. This functionality enables users with elevated privileges to disseminate critical information to all local users, such as the closure of a system.

The man page for the Linux command states, “The wall displays a message, the contents of a file, or otherwise its standard input, on the terminals of all currently logged-in users.” “Only the superuser can write on the terminals of users who have chosen to deny messages or are using a program that automatically denies messages.”

CVE-2024-28085 deceives users into entering their passwords into a bogus sudo (also known as superuser do) prompt on other users’ terminals by using inadequately filtered escape sequences supplied as command line arguments.

However, for this to work, you must set the mesg utility to “y” (i.e., enabled) and grant setgid permissions to the wall command.

Call of Duty offenders are targeted by unknown malware that steals their Bitcoin.

Both Ubuntu 22.04 and Debian Bookworm satisfy these conditions, making them vulnerable to CVE-2024-28085. In contrast, CentOS remains impervious to vulnerabilities due to the absence of a setgid parameter in the wall command.

“On Ubuntu 22.04, we have enough control to leak a user’s password by default,” Ferrante indicated. “The only indication of an attack on the user will be an incorrect password prompt when they correctly type their password, along with their password being in their command history.”

Likewise, in systems that permit the transmission of wall messages, it is possible for an assailant to modify a user’s clipboard by utilizing escape sequences on particular terminals, such as the Windows Terminal. It is inoperable with the GNOME Terminal.

Users should update to util-linux version 2.40 to lessen the impact of the vulnerability.

Elon Musk provides free premium features to X users, including crypto fraudsters.

“[CVE-2024-28085] allows unprivileged users to put arbitrary text on other users terminals if mesg is set to y and *wall is setgid*,” according to the release’s documentation. “Not all distros are affected (e.g., CentOS, RHEL, and Fedora are not; the Ubuntu and Debian walls are both setgid, and mesg is set to y by default).”

Selwyn, a security researcher, recently revealed a use-after-free vulnerability in the Linux kernel’s netfilter subsystem, potentially leading to the elevation of local privileges. The revelation coincides with the disclosure.

With the CVE identifier CVE-2024-1086 and a CVSS score of 7.8, the vulnerability stems from a failure in the input sanitization process of netfilter verdicts. This deficiency could potentially enable a local assailant to execute arbitrary code or induce a denial-of-service (DoS) condition. On January 24, 2024, a commit resolved the issue.


Scroll to Top