Security specialists at Microsoft recently discovered several vulnerabilities in the popular ‘ncurses’ library. Through these vulnerabilities, attackers can run malicious code in macOS, Linux and FreeBSD applications. A patch is available.
The widely used programming library ‘ncurses’ provides APIs for text-based user interfaces and terminal applications. These features allow developers to create windows, modify text, deploy user input, use colours and handle other use cases for terminal UI applications, among other things.
‘Poisoning’ of environment variables
The ‘gremlins’, which were discovered by Microsoft, are mainly memory corruption vulnerabilities, which enable data leakage, data modification, privilege escalation and running arbitrary code.
These are mainly so-called ‘memory corruption’ problems in ncurses library version 6.4 20230408 and earlier. The vulnerabilities allow hackers to abuse the TERMINFO environment variable. The library uses this variable to look up the capabilities of a terminal, as well as the capabilities of the HOME variable. The latter variable describes the path to an end user’s home directory.
Another possibility for the hackers is to “poison” environment variables; this is a well-known attack technique. Here, hackers modify the environment variable information to affect application behaviour or cause it to crash. In addition, this technique is used for privilege escalation, running arbitrary code and triggering DNS attacks.
Patch released
Microsoft has since released a patch for the discovered vulnerabilities summarized in CVE-2023-29491. Developers are advised to update their libraries as soon as possible. Microsoft and Apple are still working together on a fix for macOS users.
Also read: API security doesn’t get the priority treatment it needs