A programming library called “ncurses” has been found to contain multiple memory corruption vulnerabilities, which could be exploited by attackers to target applications running on macOS, Linux, and FreeBSD. Researchers from Microsoft discovered these vulnerabilities and described them as allowing data leaks, privilege escalation, and arbitrary code execution.
The ncurses library, which provides APIs for text-based user interfaces and terminal applications, has been widely used by programmers since its introduction in 1993. It offers various functions for creating windows, handling user input, manipulating text, and managing colors, making it a popular choice among developers working on terminal user interface applications.
The vulnerabilities discovered by Microsoft affect ncurses versions 6.4 20230408 and earlier. Specifically, the flaws allow attackers to manipulate two environment variables used by ncurses: TERMINFO and HOME. The TERMINFO variable is used to look up a terminal’s capabilities, while HOME describes the path to a user’s home directory.
An environment variable is a variable whose value can be accessed by programs at runtime, without the need to hardcode it into the program. For example, the HOME environment variable specifies the location of a user’s home directory on their system. By manipulating these variables, attackers can influence the behavior of applications, potentially leading to privilege escalation, arbitrary code execution, or denial of service.
Environment variable poisoning is a well-known attack technique, and there have been previous instances of vulnerabilities allowing for such attacks. One example highlighted by the Microsoft researchers is CVE-2023-22809, a vulnerability in the sudo command-line utility that allowed attackers to run programs with elevated privileges by manipulating the EDITOR variable.
To address the vulnerabilities in ncurses, the library maintainer released a patch, collectively identified as CVE-2023-29491. Developers using ncurses should ensure that they update their libraries to the latest version to mitigate the risks posed by these vulnerabilities.
Microsoft also worked with Apple’s security team to address the macOS-specific issues related to the ncurses vulnerabilities. Apple released an update for macOS Monterey on September 8, acknowledging Microsoft for discovering and reporting the issue. Users are advised to update their operating systems to ensure they are protected from potential attacks. Apple described the issue as providing a way for cyber attackers to terminate running applications or execute arbitrary code on affected systems.
Red Hat, a leading provider of open-source solutions, assessed the severity of CVE-2023-29491 as medium. The vulnerability occurs when ncurses is used by a setuid application, allowing local users to trigger security-relevant memory corruption through malformed data in a terminfo database file. Red Hat advises users to take necessary precautions and update their systems accordingly.
In conclusion, the discovery of memory corruption vulnerabilities in the ncurses library highlights the importance of regular updates and security patches. Developers and users should ensure that they are using the latest versions of libraries and operating systems to protect against potential cyberattacks.