Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2024-28085

Source

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: CVE-2024-28085: Escape sequence injection in util-linux wall

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Karel Zak &lt;kzak () redhat com&gt;

Date: Thu, 28 Mar 2024 10:10:27 +0100

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On Thu, Mar 28, 2024 at 12:29:35AM +0100, Solar Designer wrote:

?? https://github.com/util-linux/util-linux/commit/404b0781f52f7c04
  ("wall: fix escape sequence Injection [CVE-2024-28085]")

Would enforcing UTF-8 validity (regardless of user locale) be a
solution?

Not a complete solution. 

There is only one real solution: do not allow non-root users to write
to foreign file descriptors. Do not install wall(1) with suid. That's
all.

For now, it is enabled by default in the upstream tree, but I will
disable it in the next releases and explicit --enable-* will be
required. We also need to add more information to the man pages.

    Karel

I'm currently not aware of a safe way to allow
multi-byte characters coming from concurrent writers, see:

https://www.openwall.com/lists/oss-security/2015/09/20/1

and the next message in that thread.

In fact, even plain ASCII isn't entirely safe if it just happens to be
injected into the middle of a control sequence that the target user's
program was printing, thereby altering its effect.

That said, perhaps write(1)/wall(1) just shouldn't allow bytes from both
C0 and C1 ranges (except for TAB, LF, space) regardless of locale
settings, at least when the programs are running SUID/SGID.  That is,
unless the invoking user - which in this case is likely root - could
have directly written to the target user's tty anyway.  In other words,
mostly revert those offending commits.  Or just revert them completely.

Alexander

-- 
 Karel Zak  &lt;kzak () redhat com&gt;
 http://karelzak.blogspot.com

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

CVE-2024-28085: Escape sequence injection in util-linux wall Skyler Ferrante (RIT Student) (Mar 27)

Re: CVE-2024-28085: Escape sequence injection in util-linux wall nightmare . yeah27 (Mar 27)

Re: Re: CVE-2024-28085: Escape sequence injection in util-linux wall Jakub Wilk (Mar 28)

Re: CVE-2024-28085: Escape sequence injection in util-linux wall Jakub Wilk (Mar 27)

Re: CVE-2024-28085: Escape sequence injection in util-linux wall Demi Marie Obenour (Mar 27)

Re: CVE-2024-28085: Escape sequence injection in util-linux wall Solar Designer (Mar 27)
Re: CVE-2024-28085: Escape sequence injection in util-linux wall Karel Zak (Mar 28)

Re: CVE-2024-28085: Escape sequence injection in util-linux wall Alexander E. Patrakov (Mar 28)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

Re: CVE-2024-28085: Escape sequence injection in util-linux wall

Vulmon Search

About

Products

Connect