CVE-2024-28085 in util-linux
Summary
by MITRE • 03/27/2024
wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/04/2025
The vulnerability identified as CVE-2024-28085 resides within the wall command of util-linux version 2.40 and earlier, presenting a significant security risk due to improper handling of escape sequences in terminal environments. This issue specifically affects systems where the wall command is installed with setgid tty permissions, creating a privilege escalation vector that can be exploited by malicious actors. The wall command serves as a system messaging utility designed to broadcast messages to all logged-in users, making it a critical component in system administration and user communication within Unix-like environments.
The technical flaw stems from the differential handling of escape sequences between stdin and argv input sources within the wall command implementation. When escape sequences are received through stdin, the system properly blocks them to prevent terminal manipulation, however when the same sequences are passed through command line arguments via argv, the blocking mechanism fails to activate. This inconsistency creates a potential attack surface where an attacker can craft malicious escape sequences in command line arguments that will be interpreted by target users' terminals. The vulnerability operates at the terminal emulation level, where escape sequences can manipulate terminal behavior, potentially allowing for command injection, screen manipulation, or even session hijacking.
The operational impact of this vulnerability extends beyond simple message broadcasting, as it can potentially lead to account takeover scenarios when exploited properly. Attackers can leverage this weakness to inject malicious escape sequences that manipulate terminal sessions of other users, potentially gaining unauthorized access to their accounts or executing arbitrary commands within their terminal contexts. This risk is particularly elevated in multi-user environments where users share terminal sessions or when the wall command is frequently used for system notifications. The setgid tty permissions on the wall binary amplify the threat, as they provide elevated privileges that can be leveraged to execute more sophisticated attacks against user sessions.
The vulnerability aligns with CWE-157 and CWE-787 within the Common Weakness Enumeration framework, specifically addressing issues related to improper input validation and insecure handling of command line arguments. From an ATT&CK perspective, this weakness maps to T1059.007 for command and scripting interpreter and T1068 for exploit for privilege escalation, as the vulnerability enables attackers to manipulate terminal sessions and potentially escalate privileges. The exploitability of this vulnerability requires minimal prerequisites, as it only requires access to execute the wall command with appropriate permissions, making it particularly dangerous in environments where the command is accessible to untrusted users. Organizations should prioritize patching this vulnerability through updated util-linux versions and consider implementing additional access controls around the wall command to prevent unauthorized usage.
This vulnerability demonstrates the importance of consistent input validation across all input channels within system utilities, particularly those operating with elevated privileges. The failure to apply the same security controls to argv inputs as to stdin inputs creates a dangerous inconsistency that can be exploited by attackers. System administrators should monitor for unusual usage patterns of the wall command and implement proper access controls to limit who can execute it with elevated privileges. Additionally, regular security assessments should evaluate the privilege model of system utilities to ensure that elevated permissions are not unnecessarily granted to commands that may be vulnerable to input manipulation attacks.