Microsoft reveals memory corruption bugs in ‘ncurses’ library

Microsoft has discovered a set of memory corruption vulnerabilities in the ncurses library that provides a programming interface for writing text-based user interfaces (TUI) or console applications with a graphical appearance.

Collectively identified as CVE-2023-29491 with a CVSS score of 7.8, the vulnerabilities can allow attackers to gain unauthorized access to systems and data by modifying a program's memory.

"Fixes for these vulnerabilities have been successfully deployed by the maintainers of the ncurses library, Thomas E. Dickey, in commit 20230408," Microsoft said in a blog post. "We also worked with Apple on addressing the macOS-specific issues related to these vulnerabilities. We (also) thank Gergely (Kalman) for his contributions in advancing this research and community engagement."

Memory corruption vulnerabilities can be exploited in a range of attacks, including distributed denial of service (DDoS), privilege escalation, arbitrary code execution, and leaking sensitive information.

ncurses flaws allow environment variable poisoning

The ncurses library uses terminal databases to be terminal independent (the terminal’s capabilities are not required to be known ahead of time), Microsoft noted. This means that the library has access to a set of key information regarding the terminal being used.

"Terminal databases contain a set of capabilities that ultimately determine the control characters that are sent to the terminal (instructing the terminal to perform basic interactions) and describe various properties of the terminal," Microsoft said.

During its research, Microsoft discovered that during initialization ncurses library searches for several environment variables including TERMINFO, an environment variable for terminal databases. TERMINFO can be poisoned (manipulated) to point to an arbitrary directory to potentially exploit ncurses vulnerabilities. HOME, another environment variable used by ncurses can be poisoned with similar techniques.

"Every modern operating system contains a set of environment variables that might affect the behavior of programs," Microsoft said. "A well-known technique for attackers is to manipulate those environment variables to cause programs to perform actions that would benefit their malicious purposes, hence 'poisoning' them."

Vulnerabilities found in version 6.4 and earlier

Microsoft said that it found the vulnerabilities in the ncurses library through code auditing and fuzzing. It also attributed contributions from Gergely Kalman who assisted Microsoft privately on Twitter in advancing the research with several use cases.

Microsoft noted that while the auditing was performed on the latest version of ncurses, release 6.4, earlier versions of the library may also carry a few or all these vulnerabilities.

"It's interesting to note that while the version of ncurses we checked was 6.4 (latest at the time of research), the ncurses version on macOS was 5.7, but had several security-related patches maintained by Apple," Microsoft said. "Nevertheless, all our findings are true for all ncurses versions, thus affecting both Linux and macOS."

Microsoft has recommended using Microsoft Defender for detecting and protecting against potential abuse of TERMINFO databases on both Linux and macOS.