CVE-2024-28085: 
NixOS vulnerability analysis and mitigation

The wall utility in util-linux through version 2.40 contains a vulnerability (CVE-2024-28085) that allows escape sequences to be sent to other users' terminals through command-line arguments (argv). The vulnerability was introduced in 2013 and affects all versions since then. While escape sequences received from stdin are blocked, escape sequences received from argv are not blocked (RIT Report).

The vulnerability exists in the wall command's handling of command-line arguments. When displaying inputs from stdin, wall uses the fputs_careful function to neutralize escape characters, but fails to apply the same protection to input coming from argv. This implementation difference allows attackers to inject escape sequences through command-line arguments. The vulnerability has been assigned a CVSS 3.1 base score of 3.3 (LOW) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (NVD).

When successfully exploited, this vulnerability allows unprivileged users to put arbitrary text on other users' terminals if mesg is set to 'y' and wall is setgid. On affected systems like Ubuntu 22.04 and Debian Bookworm, where wall is both setgid and mesg is set to y by default, attackers can potentially leak sensitive information, including user passwords. The vulnerability can also be used to alter the clipboard content of victims using certain terminal emulators (RIT Report, NetApp Advisory).

The primary mitigation is to remove the setgid bit from the wall binary. This approach has been adopted by various distributions in their security updates. For example, Debian has released updates that remove the setgid tty permissions from the wall executable. Users can also protect themselves by ensuring their mesg setting is set to 'n' to prevent receiving messages (Debian Advisory).

The security community has engaged in extensive discussion about the proper handling of terminal escape sequences and the security implications of setgid binaries. Karel Zak, the upstream maintainer, has indicated that future releases will disable setgid by default and require explicit enabling through configuration options (OSS Security).