A set of reminiscence corruption flaws have been found within the ncurses (quick for brand new curses) programming library that may very well be exploited by risk actors to run malicious code on susceptible Linux and macOS methods.
“Utilizing setting variable poisoning, attackers may chain these vulnerabilities to raise privileges and run code within the focused program’s context or carry out different malicious actions,” Microsoft Menace Intelligence researchers Jonathan Bar Or, Emanuele Cozzi, and Michael Pearse stated in a technical report revealed at the moment.
The vulnerabilities, collectively tracked as CVE-2023-29491 (CVSS rating of seven.8), have been addressed as of April 2023. Microsoft stated it additionally labored with Apple on addressing the macOS-specific points associated to those flaws.
Surroundings variables are user-defined values that can be utilized by a number of packages on a system and may have an effect on the way by which they behave on the system. Manipulating the variables may cause purposes to carry out in any other case unauthorized operations.
Microsoft’s code auditing and fuzzing discovered that the ncurses library searches for a number of setting variables, together with TERMINFO, which may very well be poisoned and mixed with the recognized flaws to realize privilege escalation. Terminfo is a database that permits packages to make use of show terminals in a device-independent method.
The issues embody a stack data leak, a parameterized string kind confusion, an off-by-one error, a heap out-of-bounds throughout terminfo database file parsing, and a denial-of-service with canceled strings.
“The found vulnerabilities may have been exploited by attackers to raise privileges and run code inside a focused program’s context,” the researchers stated. “Nonetheless, gaining management of a program via exploiting reminiscence corruption vulnerabilities requires a multi-stage assault.”
“The vulnerabilities might have wanted to be chained collectively for an attacker to raise privileges, resembling exploiting the stack data leak to realize arbitrary learn primitives together with exploiting the heap overflow to acquire a write primitive.”