A series of memory corruption vulnerabilities has been identified in the ncurses programming library, posing a potential threat to Linux and macOS systems. Microsoft Threat Intelligence researchers Jonathan Bar Or, Emanuele Cozzi, and Michael Pearse discovered these flaws, which could be exploited by threat actors to execute malicious code on vulnerable systems.
Furthermore, these vulnerabilities, collectively tracked as CVE-2023-29491 with a CVSS score of 7.8, have been addressed as of April 2023, and Microsoft collaborated with Apple to resolve macOS-specific issues related to these flaws.
At the same time, the vulnerabilities stem from the manipulation of environment variables, which are user-defined values that can influence how multiple programs behave on a system. Attackers could chain these vulnerabilities together, leveraging “environment variable poisoning” to elevate privileges and execute code within a targeted program’s context. This technique allows malicious actors to perform unauthorized actions and poses significant security risks.
Microsoft’s code auditing and fuzzing efforts revealed that the ncurses library searches for various environment variables, including TERMINFO. Attackers could poison these variables, combining them with the identified vulnerabilities to achieve privilege escalation.
Additionally, The ncurses library plays a crucial role in enabling programs to use display terminals in a device-independent manner. The vulnerabilities encompass several issues, including a stack information leak, parameterized string type confusion, off-by-one error, heap out-of-bounds issues during terminfo database file parsing, and a denial-of-service vulnerability related to canceled strings.
While these vulnerabilities have been addressed, the researchers emphasized that exploiting memory corruption vulnerabilities like these typically requires a multi-stage attack, involving the chaining of multiple vulnerabilities. This discovery highlights the ongoing need for robust security measures and prompt updates to safeguard against evolving threats in the digital landscape.