Microsoft Flushes Out 'Ncurses' Gremlins

A widely used programming library called "ncurses" is infested by malicious gremlins — in the form of multiple memory corruption vulnerabilities that give attackers a way to target applications running in macOS, Linux, and FreeBSD.

Researchers from Microsoft uncovered the vulnerabilities in the library, which basically provides APIs for text-based user interfaces and terminal applications. In a technical report this week, researchers from the company's threat intelligence team described the bugs as allowing data leaks, privilege escalation, and arbitrary code execution.

"After discovering the vulnerabilities in the ncurses library, we worked with the maintainer, Thomas E. Dickey, and Apple to ensure the issues were resolved across platforms," the researchers said. "Exploiting vulnerabilities in the ncurses library could have notable consequences for users, allowing attackers to perform malicious actions like elevating privileges to run code in a targeted program's context and access or modify valuable data and resources."

Notable Consequences for Users

The library ncurses first became available in 1993. Programmers across different platforms use it relatively widely for developing terminal user interfaces and interfaces in text mode. The library provides functions for creating windows, manipulating text, handling user input, colors, and other use cases for terminal user interface applications.

The vulnerabilities that Microsoft discovered were all memory corruption issues in ncurses versions 6.4 20230408 and prior. The now-patched flaws specifically gave attackers a way to manipulate — or poison — an environment variable called TERMINFO that ncurses uses to look up a terminal's capabilities and another called HOME that describes the path to a user's home directory.

An environment variable is a variable whose value doesn't need to be hardcoded into a program. For example, the HOME environment variable specifies the home directory location on a specific user's system. At run-time a program would use the HOME environment variable to look up information or value associated with the label. Environment variables limit the need for application modifications every time configuration information changes as would sometimes be the case when an app is used in different environments and by different users.

Well-known Technique

Common Environment variable poisoning is a well-known attack technique where attackers modify environment variable information in a manner as to negatively influence application behavior or to cause it to crash. Common goals include privilege escalation, arbitrary code execution, and triggering denial of service conditions. As the Microsoft researchers explained in their blog, there have been multiple instances of vulnerabilities that allowed for environment variable poisoning in the past.

One example the researchers pointed to was CVE-2023-22809, a vulnerability in the sudo command-line utility that allows users in Unix-like environments, including macOS, to run programs with elevated privileges. The vulnerability stemmed from how sudo's EDITOR variable handled user-provided environment variables and basically gave attackers a way to write arbitrary files to the system.

How to Remove the ncurses Curse

Microsoft discovered a total of five memory corruption vulnerabilities in ncurses that allowed for such variable poisoning. The maintainer of the library issued a patch for the vulnerabilities which are collectively identified as CVE-2023-29491. Developers need to make sure their libraries are up-to-date.

Microsoft researchers also worked with Apple's security team on addressing the macOS specific issues related to the ncurses vulnerabilities. Apple on Sept. 8 released an update for macOS Monterey that acknowledged Microsoft for discovering and reporting the issue to it — users should update their OS versions to ensure they're protected from attack. The company described the issue as giving cyberattackers a way to potentially terminate running applications or execute arbitrary code on affected systems.

Meanwhile, Red Hat assessed CVE-2023-29491 to be a medium severity threat. "A vulnerability was found in ncurses and occurs when used by a setuid application," the company said. "This flaw allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable."