CVE-2024-28085

LOW

util-linux <2.40 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-28085. PoCs published by skyler-ferrante, oditynet.

AI-analyzed exploit summary This PoC exploits CVE-2024-28085, a vulnerability in the util-linux `wall` command that fails to filter escape sequences, allowing unprivileged users to inject arbitrary text into other users' terminals. The exploit leverages this to create a fake sudo prompt and harvest passwords via process monitoring.

Description

wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.

Exploits (2)

nomisec WORKING POC 51 stars
by skyler-ferrante · poc
https://github.com/skyler-ferrante/CVE-2024-28085

This PoC exploits CVE-2024-28085, a vulnerability in the util-linux `wall` command that fails to filter escape sequences, allowing unprivileged users to inject arbitrary text into other users' terminals. The exploit leverages this to create a fake sudo prompt and harvest passwords via process monitoring.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: util-linux wall (versions since 2013)
No auth needed
Prerequisites: mesg set to 'y' · wall setgid · victim terminal accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec BACKDOOR: TROJAN 2 stars
by oditynet · poc
https://github.com/oditynet/sleepall

The repository claims to be a PoC for CVE-2024-2805 but is actually a trojan that steals sudo passwords by manipulating terminal escape sequences and exfiltrating credentials to a remote server. It disguises itself as a legitimate exploit but functions as malware.

Classification
Trojan 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: bash (sudo command)
No auth needed
Prerequisites: Victim must execute the binary · Victim must use bash and sudo
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (18)

Core 18
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html
Mailing List, Patch, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2024/03/28/1
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2024/03/27/6
Mailing List, Patch, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2024/03/27/9
Mailing List, Patch, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2024/03/27/8
Mailing List, Patch, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2024/03/27/7
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2024/03/28/2
Mailing List, Patch, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2024/03/28/3
Exploit, Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2024/03/27/5

Scores

CVSS v3 3.3
EPSS 0.1093
EPSS Percentile 93.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-150
Status published
Products (2)
debian/debian_linux 10.0
kernel/util-linux 2.24 - 2.39.4
Published Mar 27, 2024
Tracked Since Feb 18, 2026