A series of memory corruption vulnerabilities have come to light in the ncurses (short for “new curses”) programming library. These vulnerabilities pose a potential risk, as threat actors could leverage them to execute malicious code on susceptible Linux and macOS systems.
These security flaws, collectively identified as CVE-2023-29491, carry a CVSS score of 7.8. As of April 2023, Microsoft has taken steps to address these vulnerabilities. Additionally, Microsoft collaborated with Apple to tackle macOS-specific issues stemming from these vulnerabilities.
Environment variables, which are user-defined values, can be utilized by multiple programs within a system, influencing their behavior. Tampering with these variables can lead to applications performing actions they would not typically be authorized to execute.
During its code auditing and fuzzing efforts, Microsoft’s examination revealed that the ncurses library scans various environment variables, including TERMINFO.
These variables could be manipulated and combined with the identified vulnerabilities to achieve privilege escalation. TERMINFO is a database that enables programs to interact with display terminals in a device-independent manner.
The range of flaws encompasses a stack information leak, a parameterized string type confusion, an off-by-one error, a heap out-of-bounds issue during the parsing of the terminfo database file, and a denial-of-service scenario involving canceled strings.
The researchers emphasized, “The vulnerabilities could potentially have been exploited by attackers to elevate their privileges and execute code within the context of a targeted program. However, it’s important to note that achieving control of a program through memory corruption vulnerabilities typically involves a multi-stage attack.”
Furthermore, they noted, “To elevate privileges, an attacker might have needed to chain these vulnerabilities together. For instance, exploiting the stack information leak to gain arbitrary read privileges, combined with exploiting the heap overflow to obtain write privileges.”