CVE-2024-28085 Overview
CVE-2024-28085 is a terminal escape sequence injection vulnerability in the wall command of util-linux through version 2.40. The wall utility, commonly installed with setgid tty permissions on Linux systems, allows attackers to send arbitrary escape sequences to other users' terminals through command-line arguments (argv). While the utility correctly blocks escape sequences received from standard input (stdin), it fails to sanitize escape sequences passed through argv, potentially enabling social engineering attacks or account takeover in certain scenarios.
Critical Impact
Local attackers with basic user privileges can inject terminal escape sequences to manipulate other users' terminal displays, potentially leading to credential theft through fake prompts or terminal manipulation attacks.
Affected Products
- util-linux through version 2.40
- Debian Linux 10.0
- Systems with wall installed with setgid tty permissions
Discovery Timeline
- March 27, 2024 - CVE-2024-28085 published to NVD
- November 4, 2025 - Last updated in NVD database
Technical Details for CVE-2024-28085
Vulnerability Analysis
The vulnerability resides in the wall command's input handling mechanism. The wall utility is designed to broadcast messages to all users logged into a system, typically used for system administration announcements. When installed with setgid tty permissions, the utility has elevated privileges to write to other users' terminal devices.
The core issue stems from inconsistent input sanitization. The developers implemented filtering for escape sequences received from stdin to prevent terminal manipulation attacks, recognizing the security implications of allowing arbitrary control characters to be written to other users' terminals. However, this same sanitization was not applied to messages passed through command-line arguments.
Terminal escape sequences (ANSI escape codes) can be used maliciously to manipulate terminal output in various ways, including clearing screens, repositioning cursors, changing text colors, or even creating fake login prompts. An attacker could craft a malicious message containing escape sequences that, when displayed on a victim's terminal, could present a convincing fake sudo password prompt or other credential harvesting interface.
Root Cause
The root cause is an input validation bypass vulnerability (CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences). The wall command applies different sanitization rules depending on the input source - escape sequences are filtered from stdin but are passed through unfiltered when provided via argv. This inconsistency creates an exploitable condition where attackers can bypass the intended security controls by simply passing their malicious payload as a command-line argument rather than through stdin.
Attack Vector
This is a local attack vector requiring the attacker to have basic user-level access to the system. The attack requires:
- Local access to the target system with a valid user account
- The wall command installed with setgid tty permissions
- Other users actively logged into terminals on the same system
An attacker would craft a message containing ANSI escape sequences designed to manipulate the victim's terminal display. By passing this crafted message as an argument to the wall command, the escape sequences bypass the stdin filtering and are written directly to all logged-in users' terminals. The attacker could create fake prompts, hide their message in the terminal output, or manipulate the display in ways that could trick users into revealing sensitive information.
For technical details on exploitation techniques, refer to the GitHub PoC Repository and the official security advisory.
Detection Methods for CVE-2024-28085
Indicators of Compromise
- Unusual wall command executions containing escape sequence patterns (e.g., \\x1b[, \033[)
- Suspicious authentication attempts following wall broadcasts
- User reports of unexpected terminal behavior or fake prompts appearing
- System logs showing wall invocations with unusually long or encoded arguments
Detection Strategies
- Monitor process execution logs for wall command invocations with arguments containing escape sequences or non-printable characters
- Implement terminal session logging to capture and analyze suspicious broadcast messages
- Deploy endpoint detection rules to flag wall executions with encoded payloads matching ANSI escape sequence patterns
- Review authentication logs for credential submission attempts that correlate temporally with wall broadcasts
Monitoring Recommendations
- Enable auditd rules to log all wall command executions along with their arguments
- Configure SIEM correlation rules to detect patterns of wall usage followed by authentication events
- Implement user behavior analytics to identify anomalous wall usage patterns
- Consider alerting on wall commands executed by non-administrative users
How to Mitigate CVE-2024-28085
Immediate Actions Required
- Update util-linux to a patched version that filters escape sequences from argv
- Remove setgid tty permissions from the wall binary if the utility is not required
- Restrict wall command usage to administrative users only via file permissions or PAM configurations
- Enable the mesg n setting for all users to prevent unsolicited terminal messages
Patch Information
Security patches addressing this vulnerability are available from distribution maintainers. The Debian LTS Announcement provides patched packages for Debian systems. Updated packages can be obtained from the Linux Utils GitHub Repository. Additionally, NetApp has issued a security advisory for affected products.
Workarounds
- Set mesg n in user shell profiles to disable terminal message reception
- Remove setgid permissions from the wall binary: chmod g-s /usr/bin/wall
- Restrict wall execution to the root user only
- Consider uninstalling or disabling the wall utility if not required for operations
# Configuration example
# Disable message reception for the current user
mesg n
# Add to /etc/profile or user's .bashrc to disable by default
echo "mesg n" >> /etc/profile
# Remove setgid permissions from wall (requires root)
chmod g-s /usr/bin/wall
# Alternatively, restrict wall to root only
chmod 700 /usr/bin/wall
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
