Hello,
On Wed, Mar 27, 2024 at 05:30:50PM -0400, Lee wrote:
> Apparently the root of the security issue is that wall is a setguid program?
a) wall must be able to write to your tty, which is not possible
if wall is not installed setguid OR if people have sane permissions
on their terminals (e.g. set to mesg n)
b) in addition, for this exploit to run, command-not-found must be
started with the not found command as argument: in the two Debian
releases I just tried (buster and bookworm), with bash,
command-not-found was not installed.
The idea of the exploit is that you get a prompt for entering a sudo
password, which is a simple text (which gets more convincing because
of a recently introduced bug in wall which does not filter out terminal
escape / control sequences), then you type the root password, which
is presumably not the name of an existing command, so command-not-found
PASSWORD is run, and someone on another terminal and user can do
a ps to see that password argument if he is quick or polling.
To fix this:
a) don't type a root password / sudo password unless you know that
it should happen
b) don't allow others to write on your terminals, in particular
if you run priviledged commands and expect sudo prompts
c) patch wall so that its texts are always shown to be
different from other program outputs (== filter out
anything else than printable characters)
THIS IS MY PREFERRED WORKAROUND :)
(mixing controls (prompts) and data is always
a very bad idea)
d) don't have other users on your machine / use containers.
> So. There is a program called 'mesg', hrmmm..
30 years ago it was common practice to use wall (to signal stuff to
users, e.g. used by shutdown(8)).
> oof. Are there instructions somewhere on how to make Debian secure by
> default?
Looks like it is, by not installing command-not-found by default
(apparently Ubuntu does). Presumably by chance.
