CVE-2020-19189 - Buffer Overflow Vulnerability in Ncurses 6.1 Postprocess Terminfo Function, Potentially Enabling Denial of Service Attacks

A buffer overflow vulnerability has been discovered in ncurses 6.1, specifically in the postprocess_terminfo function located in tinfo/parse_entry.c:997. This vulnerability may allow remote attackers to cause denial of service on the target system by sending crafted commands. In this post, we will go through the details of this vulnerability, demonstrate a code snippet, provide links to original references, and discuss exploit details.

Background

Ncurses is a mainstay in UNIX-like systems, providing a scripting library for developing text-based interfaces and terminal displays. The library is widely used in various applications, such as file managers, terminal emulators, and text editors.

Buffer Overflow Vulnerability Details

At the root of CVE-2020-19189 lies a buffer overflow vulnerability. This occurs when a malicious command can trigger the overflow condition in the vulnerable function, causing unintended consequences. When the buffer overflow occurs in postprocess_terminfo, the function tries to read data beyond its buffer. As a result, remote attackers can potentially execute denial of service attacks and potentially compromise the system's overall stability and integrity.

Here's the code snippet of the vulnerable function

static void
postprocess_terminfo(TERMTYPE *tp)
{
  int i, y;
  int hascolor = (((tp->_ospeed = tp->_cur_ospeed) > tp->_sgrparm1) && !tp->_sgrparm2) == ;
  ...
  for (i = ; i < NUM_TERMINAL_CODES(tp); i++) {
    if (_nc_tracing && _nc_windows_trace >= 3)
      (void) fprintf(_nc_win_trace_fp, "Checking %-14s %s%s",
        _nc_select_piece(tp->numerator.at(i), ASPD(tp)),
        _nc_printf_length_string(tp->Array),
        _nc_printf_decimal(tp->lengths));
      for (y = ; _nc_required_element_count > y; ++y)
        if (_nc_postprocess_check(tp->sequence_index.at(y)) == ERR)
          safe_failure(_NC(NO_WORK));
    }
  }

In the above snippet, a buffer overflow can potentially be caused within the for-loop, executing the system call if (_nc_postprocess_check(tp->sequence_index.at(y)) == ERR).

The vulnerability details can be found in the following original references

- NVD (National Vulnerability Database) - CVE-2020-19189
- Github Issue - ncurses Buffer Overflow #13

Though this CVE is marked as low severity, it still poses potential risks. In order to successfully exploit this vulnerability, an attacker must first gain access to an environment which makes use of ncurses. After gaining access, the attacker can then craft commands that cause the buffer overflow, attempting to execute a denial of service attack, or even attempting to gain more control over the target system.

Remediation Steps

To mitigate this vulnerability, it is recommended for system administrators and user to update their ncurses installations to the latest version. Additionally, users of applications which depend on ncurses should make sure to download the latest available version from the vendor's release website.

Conclusion

CVE-2020-19189 exposes a buffer overflow vulnerability in ncurses 6.1 that could potentially allow remote attackers to execute a denial of service attack on target system. It is crucial for both developers and end users to be aware of this vulnerability, and apply the necessary remediation steps in order to protect their systems from potential security risks.

Timeline

Published on: 08/22/2023 19:16:01 UTC
Last modified on: 10/20/2023 21:21:18 UTC