A set of memory corruption vulnerabilities have been discovered in the ncursions (short for new curses) programming library that could be exploited by malicious actors to execute malicious code on vulnerable Linux and macOS systems.
“By using environment variable poisoning, attackers could chain these vulnerabilities together to elevate privileges and execute code in the context of the targeted program or perform other malicious actions,” said Jonathan Bar Or, Emanuele Cozzi and Michael Pearse, Microsoft Threat Intelligence researchers. said in a technical report released today.
Vulnerabilities, collectively tracked as CVE-2023-29491 (CVSS score of 7.8), were address in April 2023. Microsoft said it also worked with Apple to resolve macOS-specific issues related to these flaws.
Environment variables are user-defined values that can be used by multiple programs on a system and can affect how they behave on the system. Manipulating variables can cause applications to perform otherwise unauthorized operations.
Auditing and fuzzing of Microsoft’s code revealed that the ncurses library looks for several environment variables, including TERMINFO, that could be poisoned and combined with the identified vulnerabilities to achieve privilege escalation. Information about terms is a database which allows programs to use display terminals in a device-independent manner.
Identity is the New Endpoint: Mastering SaaS Security in the Modern Age
Dive into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Find out why identity is the new endpoint. Reserve your place now.
Vulnerabilities include stack information leak, parameterized string type confusion, one-by-one error, out-of-bounds heap while parsing terminfo database file, and denial of service with strings canceled.
“The discovered vulnerabilities could have been exploited by attackers to elevate privileges and execute code in the context of a targeted program,” the researchers said. “Nevertheless, gaining control of a program by exploiting memory corruption vulnerabilities requires a multi-stage attack.”
“It might have been necessary to chain the vulnerabilities so that an attacker could elevate privileges, for example by exploiting stack information leak to obtain arbitrary read primitives and exploiting heap overflow to obtain a primitive writing.”