Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 927980 (CVE-2024-28085) - <sys-apps/util-linux-2.39.3-r6[tty-helpers]: wall escape sequence issues
Summary: <sys-apps/util-linux-2.39.3-r6[tty-helpers]: wall escape sequence issues
Status: UNCONFIRMED
Alias: CVE-2024-28085
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://people.rit.edu/sjf5462/683171...
Whiteboard: B3 [stable]
Keywords:
Depends on: 927999
Blocks:
  Show dependency tree
 
Reported: 2024-03-27 18:22 UTC by Hank Leininger
Modified: 2024-05-11 23:42 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2024-03-27 18:22:55 UTC
wall(1) in all versions of util-linux since ~2013 until now ( does not filter escape sequences; this can be used to manipulate users with backspacing over prompts, etc. We only build wall(1) with USE=tty-helpers

The example exploits require things like ps visibility (could be prevented by hidepid=) and leverage things like command-not-found wrappers (not used on Gentoo systems by default if at all?) or users using sudo. But probably more creative tactics could be used where those conditions aren't met.

The advisory does not mention any communications with upstreams or distros. The CVE has been issued but isn't visible from NIST, MITRE, etc. I can find no public discussion in util-linux github, etc.

However, Ubuntu apparently shipped a patch about an hour ago:

https://launchpad.net/ubuntu/+source/util-linux/2.39.1-4ubuntu2.1
http://launchpadlibrarian.net/720653769/util-linux_2.39.1-4ubuntu2_2.39.1-4ubuntu2.1.diff.gz

I have not tested that patch yet. It has not landed in https://github.com/util-linux/util-linux/blob/master/term-utils/wall.c
Comment 1 Hank Leininger 2024-03-27 22:58:34 UTC
That fix has hit the stable/v2.40 branch:

https://github.com/util-linux/util-linux/commit/404b0781f52f7c045ca811b2dceec526408ac253


But neither master nor stable/v2.39 branches.

Also, as soon as this got attention, more related issues have been pointed out:

https://marc.info/?l=oss-security&m=171157493020922&w=4
Comment 2 Larry the Git Cow gentoo-dev 2024-03-28 16:44:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5af27a0a2b08e0035abb6a7e080aaa27cf80ce63

commit 5af27a0a2b08e0035abb6a7e080aaa27cf80ce63
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-03-28 16:42:03 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-03-28 16:42:03 +0000

    sys-apps/util-linux: backport fix for CVE-2024-28085
    
    Bug: https://bugs.gentoo.org/927980
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/util-linux-2.39.3-CVE-2024-28085.patch   |  25 ++
 sys-apps/util-linux/util-linux-2.39.3-r6.ebuild    | 415 +++++++++++++++++++++
 2 files changed, 440 insertions(+)
Comment 3 Skyler Ferrante 2024-03-29 16:21:06 UTC
(In reply to Hank Leininger from comment #0)
> wall(1) in all versions of util-linux since ~2013 until now ( does not
> filter escape sequences; this can be used to manipulate users with
> backspacing over prompts, etc. We only build wall(1) with USE=tty-helpers
> 
> The example exploits require things like ps visibility (could be prevented
> by hidepid=) and leverage things like command-not-found wrappers (not used
> on Gentoo systems by default if at all?) or users using sudo. But probably
> more creative tactics could be used where those conditions aren't met.
> 
> The advisory does not mention any communications with upstreams or distros.
> The CVE has been issued but isn't visible from NIST, MITRE, etc. I can find
> no public discussion in util-linux github, etc.

Although not mentioned in the advisory, I did report the issue to distros openwall. Not sure if Gentoo is in that mailing list.

Like you mentioned, my exploit requires certain conditions, but it is possible to use this bug without them. In terms of "could be prevented by hidepid", it may be possible to use atimes or side channels (flush+reload) to "know" when commands are executed. It is also possible to attack a user who does not have a "command-not-found" style wrapper. We could wait for a user to run a command like "cat ~/.ssh/id_rsa.pub", and overwrite their key in the terminal with our own. Command not found is just a very convenient way to leak information, and makes exploitation much more dangerous.

That being said, I don't think this bug is that bad on Gentoo if you don't have a command not found handler. It would be quite difficult to exploit, and you would have to craft an attack against a particular users workflow.