Password-leaking Ubuntu bug sat silent for 11 years

A newly-discovered Linux bug could allow for password leaks. Worse yet, it has sat undiscovered in the OS for the last 11 years

Password-leaking Ubuntu bug sat silent for 11 years

A long-unknown vulnerability in the Ubuntu could potentially allow an attacker to steal user passwords.

Skyler Ferrante, a student researcher at RIT, said that the bug, which has been present in Ubuntu since 2013, allows an attacker to insert text into the terminal screen for other users and, with a bit of social engineering grace, harvest their login credentials.

The vulnerability itself, designated CVE-2024-28085, is related to the way the Ubuntu Linux shell processes user input. In this case, the util-wall component fails to properly filter user input sequences.

When those sequences are not properly verified, malicious users have the ability to craft and execute scripts whose results can be displayed to other users on the local system.

This would, in turn allow the attacker to exploit the vulnerable component and run a script that would display text on the screen of other users. While an interesting trick on its own, in practice the flaw could allow for a nasty bit of social engineering.

In a real world attack scenario, an attacker with local access could set up a trap in which valid credentials could easily be harvested via the /proc directory. This would, in turn set the attacker up for further lateral attacks along the local network.

"A successful exploit on Ubuntu would allow an attacker to leak the passwords of other users, by sending a fake 'password incorrect' message as soon as the user successfully authenticates," Ferrante explained to The Stack.

"When a user sees a 'password incorrect' message they will likely just type their password in again, this time into their shell."

There is some good news. Ferrante noted that the password-stealing bug seems to be limited to Ubuntu and other distributions are not susceptible to password theft.

"On non-Ubuntu distros, we can only change what the user sees on their terminal when they run commands (can't leak anything)," the researcher explained.

"For example, an attacker could modify the output of a user running “cat /.ssh/id_rsa.pub."

Perhaps more disturbing than the flaw itself was the time it was allowed to sit vulnerable. The bug is believed to have been present since 2013 in all versions of Ubuntu.

Ferrante believes that the reason the bug has gone unexposed for so long is because it sits outside of the realm of what security researchers normally probe.

" I think it is because the only way to find it is manual analysis," Ferrante explained.

"Unlike memory corruption, I don't think any sort of fuzzing or automatic static analysis would find it. I found this bug by just reviewing a lot of source code for suid binaries."