Mar 29, 2024NewsroomVulnerability / Linux

Details have emerged about a vulnerability impacting the “wall” command of the util-linux package that could be potentially exploited by a bad actor to leak a user’s password or alter the clipboard on certain Linux distributions.

The bug, tracked as CVE-2024-28085, has been codenamed WallEscape by security researcher Skyler Ferrante. It has been described as a case of improper neutralization of escape sequences.

“The util-linux wall command does not filter escape sequences from command line arguments,” Ferrante said. “This allows unprivileged users to put arbitrary text on other users’ terminals, if mesg is set to “y” and wall is setgid.”

The vulnerability was introduced as part of a commit made in August 2013.

The “wall” command is used to write a message to the terminals of all users that are currently logged in to a server, essentially allowing users with elevated permissions to broadcast key information to all local users (e.g., a system shutdown).

“wall displays a message, or the contents of a file, or otherwise its standard input, on the terminals of all currently logged in users,” the man page for the Linux command reads. “Only the superuser can write on the terminals of users who have chosen to deny messages or are using a program which automatically denies messages.”

CVE-2024-28085 essentially exploits improperly filtered escape sequences provided via command line arguments to trick users into creating a fake SUDO prompt on other users’ terminals and trick them into entering their passwords.

However, for this to work, the mesg utility – which controls the ability to display messages from other users – has to be set to “y” (i.e., enabled) and the wall command is executed with setgid permissions.

CVE-2024-28085 impacts Ubuntu 22.04 and Debian Bookworm as these two criteria are met. On the other hand, CentOS is not vulnerable since the wall command does not have setgid.

“On Ubuntu 22.04, we have enough control to leak a user’s password by default,” Ferrante said. “The only indication of attack to the user will be an incorrect password prompt when they correctly type their password, along with their password being in their command history.”

Similarly, on systems that allow wall messages to be sent, an attacker could potentially alter a user’s clipboard through escape sequences on select terminals like Windows Terminal. It does not work on GNOME Terminal.

Users are advised to update to util-linux version 2.40 to mitigate against the flaw.

“[CVE-2024-28085] allows unprivileged users to put arbitrary text on other users terminals, if mesg is set to y and *wall is setgid*,” according to the release notes. “Not all distros are affected (e.g., CentOS, RHEL, Fedora are not; Ubuntu and Debian wall is both setgid and mesg is set to y by default).”

The disclosure comes as security researcher notselwyn detailed a use-after-free vulnerability in the netfilter subsystem in the Linux kernel that could be exploited to achieve local privilege escalation.

Assigned the CVE identifier CVE-2024-1086 (CVSS score: 7.8), the underlying issue stems from input sanitization failure of netfilter verdicts, allowing a local attacker to cause a denial-of-service (DoS) condition or possibly execute arbitrary code. It has been addressed in a commit pushed on January 24, 2024.

Jan 22, 2024NewsroomPrivacy / Technology

The U.S. Federal Trade Commission (FTC) is continuing to clamp down on data brokers by prohibiting InMarket Media from selling or licensing precise location data.

The settlement is part of allegations that the Texas-based company did not inform or seek consent from consumers before using their location information for advertising and marketing purposes.

“InMarket will also be prohibited from selling, licensing, transferring, or sharing any product or service that categorizes or targets consumers based on sensitive location data,” the FTC said last week.

In addition, it has been ordered to destroy all the location data it previously collected subject to users’ assent, as well as provide a mechanism for consumers to withdraw their consent and request for deletion of the information previously collected.

The development makes InMarket the second data aggregator to face a ban in as many weeks after Outlogic (formerly X-Mode Social), which faced accusations that it had sold location information that could be used to track users’ visits to medical and reproductive health clinics, places of religious worship, and domestic abuse shelters.

Like Outlogic, InMarket is said to harvest location information from its own proprietary apps like CheckPoints and ListEase, and more than 300 other third-party applications that incorporate its software development kit (SDK). These apps have been downloaded onto over 420 million unique devices since 2017.

“If the user allows access, InMarket SDK receives the device’s precise latitude and longitude, along with a timestamp and a unique mobile device identifier, as often as the mobile device’s operating system provides it — ranging from almost no collection when the device is idle, to every few seconds when the device is actively moving — and transmits it directly to [InMarket’s] servers,” the FTC complaint read.

This historical data is then used to slot consumers into nearly 2,000 segments based on the locations visited and serve tailored ads on apps that include the SDK. It also offers a product that pushes ads to consumers based on their current whereabouts, serving ads related to medicines, for example, when a person is within 200 meters of a pharmacy.

The company, which was previously exposed by The Markup in September 2021, claims to provide its “customers with access to the most accurate and precise, permission-based, SDK-derived location data available today.”

The FTC further said InMarket did little to ensure that third-party apps that embed the company’s SDK have obtained users’ express consent, noting that it failed to notify third-party apps that the location data provided through its SDK will be combined with other data points to create profiles of consumers.

To make matters worse, the company’s five-year data retention policy was described as “unnecessary to carry out the purposes for which it was collected,” and that it put customers at risk by exposing the information to other kinds of misuse.

As mitigations, InMarket “will be required to create a sensitive location data program to prevent the company from using, selling, licensing, transferring, or otherwise sharing any products or services that categorize or target consumers based on sensitive location data.”

The disclosure comes as a joint study published by Consumer Reports and The Markup found that Meta-owned Facebook gets data on individual users from thousands of companies.

On average, the company received data from 2,230 different companies for each of the 709 volunteers, with some identified by more than 7,000 companies. In all, the participants had their data shared by a whopping 186,892 companies.

One of those participants had their information coming from nearly 48,000 different companies, suggesting “unusual app usage habits” or possibly an appealing candidate for microtargeted advertising.

“The company that shared data on the largest number of participants was LiveRamp, a data broker, which shared data on 679, or about 96%, of study participants,” the study said. “A large percentage of the approximately 186,000 companies that appeared in our data appeared to be either small retailers or non-national brands (or were unidentifiable by name).”