Microsoft’s investigative team has identified several memory corruption vulnerabilities within the ncurses programming library. These vulnerabilities pose a potential risk to Linux and macOS systems, allowing hackers the opportunity to execute harmful code.
The research team, composed of Jonathan Bar Or, Emanuele Cozzi, and Michael Pearse from Microsoft Threat Intelligence, detailed in their latest report how threat actors could use environment variable manipulation to take advantage of these flaws. The objective? To increase privileges and execute commands in the context of the affected application or initiate other malevolent tasks.
Designated as CVE-2023-29491 and having a CVSS score of 7.8, these vulnerabilities have been rectified as of April 2023. Microsoft has also collaborated with Apple to tackle macOS-specific challenges arising from these vulnerabilities.
For clarity, environment variables are customizable values accessible by multiple software applications on a device. Tweaking these can sometimes lead apps to execute actions they aren’t typically authorized to do.
During Microsoft’s in-depth code review and testing, it was determined that the ncurses library looks for a range of environment variables. One such variable is TERMINFO. Threat actors can tamper with it, combining this with the detected vulnerabilities, to escalate privileges. TERMINFO serves as a database, allowing software to interface with display terminals in a universal manner.
A breakdown of the vulnerabilities includes a stack data disclosure, confusion over parameterized string types, minor counting errors, and problems related to terminfo database file interpretation, such as a heap boundary violation and a denial-of-service using invalidated strings.
The team emphasized, “While these vulnerabilities could provide pathways for hackers to escalate their access and execute commands in a given program’s environment, achieving this requires a layered attack approach.”
They further explained that to actually elevate access, a combination of vulnerabilities might be essential. This could mean utilizing the stack data disclosure to acquire arbitrary reading capabilities, coupled with exploiting the heap boundary violation to gain write capabilities.