A series of memory corruption vulnerabilities has been uncovered within the ncurses (new curses) programming library, potentially enabling threat actors to execute malicious code on susceptible Linux and macOS systems.
In a technical report released today, Microsoft Threat Intelligence researchers Jonathan Bar Or, Emanuele Cozzi, and Michael Pearse highlighted the exploitation potential of these vulnerabilities through environment variable poisoning. This method could be leveraged by attackers to escalate privileges and execute code within the targeted program’s context or carry out other nefarious activities.
The vulnerabilities, collectively identified as CVE-2023-29491 with a CVSS score of 7.8, were remedied as of April 2023. Microsoft collaborated with Apple to address macOS-specific issues associated with these flaws.
Environment variables, customizable values utilized by various programs on a system, play a significant role in determining program behavior. Manipulating these variables can lead to unauthorized operations by applications.
Through code auditing and fuzzing, Microsoft uncovered that the ncurses library scans for multiple environment variables, including TERMINFO. Exploiting these variables, combined with the identified flaws, could facilitate privilege escalation. TERMINFO is crucial for enabling programs to utilize display terminals in a device-independent manner.
The vulnerabilities comprise a stack information leak, parameterized string type confusion, off-by-one error, heap out-of-bounds during terminfo database file parsing, and denial-of-service with canceled strings.
The researchers emphasized that while the discovered vulnerabilities could indeed enable attackers to elevate privileges and execute code within a program’s context, exploiting memory corruption vulnerabilities typically requires a multi-stage attack.
“The vulnerabilities might have necessitated being chained together for an attacker to escalate privileges, such as utilizing the stack information leak to gain arbitrary read primitives along with exploiting the heap overflow to acquire a write primitive,” they explained.